A recent study found more than 200 mobile websites and apps including AMC Cinemas in Hong Kong, Royal Mail, Fox Sports Australia, SNCF and Thalys were leaking personally identifiable information.
The vast majority of the leaks included sensitive information such as email/username, 90 percent, and password/hash, 86 percent, and more than 59 percent of all leaks identified were from industries including News, Sports, Business, Industry and Shopping, according to the Wandera Mobile Leak Report 2017.
The report's intent is to highlight how much threat vectors vary and to show how many categories of apps and sites are affected for example, 80 percent of the top 50 adult sites were found to be leaking some sort of PII and 28 percent of identified data leaks were from Travel, Entertainment, Lifestyle and Technology based apps and/or websites.
Data leaks can also come from unexpected sources which are widely used and considered secure. Social media usage accounted for 30 percent of data usage yet nearly 2 percent of the data leaks originated from social media.
The leaks were identified on devices located in more than 20 countries, and the mobile websites and apps represented span across more than a dozen categories, the report said.
To combat the leaks, researchers said the most practical response from executive teams would be “to routinely monitor the data that flows to and from each individual device, identify potential security gaps and dynamically respond through policy actions that help to manage the risk while simultaneously ensuring that employees stay productive.”
The fact that the data leaks were so broad and spanned so many geographies was disturbing, Wandera Vice President Michael Covington told SC Media via emailed comments. I
“In my opinion, the most surprising discovery in this report was the fact that so many mainstream apps were leaking the private information of the users and organizations that trusted them with this data in the first place,” Covington said. “This clearly is not a problem that is isolated to a particular category or service domain.”
He said the most common reasons that apps leaked sensitive data is because the developer failed to utilize encryption, either entirely or correctly. To combat these leaks, Covington said companies with apps and online services should have a security development life cycle practice that considers security and privacy requirements early in the development process. In addition, these organization should also be doing thorough security audits on a regular basis.
“We have found many inconsistencies with the services being delivered to mobile devices by these companies; our working assumption has been that they prioritize time-to-market over security,” Covington said. “App development is outsourced by many companies as they try to get something to customers before a competitor.”
Hackers wouldn't need a particularly broad skillset in order to glean the data emitting form these apps and sites with some techniques taking as little as 15 minutes such as a man-in-the-middle attack using a $100 toll kit that take over an intercept data from Wi-Fi networks.
“If mobility teams walk away with one thing after reading this report, I hope it is a realization of how critical end-to-end visibility can be when assessing security risk,” Covington said. “If organizations have no visibility at the data level of how the corporate mobile device fleet is being used, their data could be at extreme risk.”