How App Developers Leave the Door Open to NSA Surveillance

U.S. and U.K. surveillance of smartphone users has been helped by mobile developersfew of whom bother to adopt basic encryption.

News that the National Security Agency has for years harvested personal data leaked from mobile apps such as Angry Birds triggered a fresh wave of chatter about the extent of the NSAs reach yesterday. However the NSA and its U.K. equivalent, GCHQ, hardly had to break much technical ground to hoover up that data. Few mobile apps implement encryption technology to protect the data they send over the Internet, so the agencies could trivially collect and decode that data using their existing access to Internet networks.

Documents seen and published by the New York Times and Guardian newspapers show that the NSA and GCHQ can harvest information such as a persons age, location, and sexual orientation from the data sent over the Internet by apps. Such personal details are contained in the data that apps send back to the companies that maintain and support them. This includes data sent to companies that serve and target ads in mobile apps.

This is evidence of negligent levels of insecurity by app companies, says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. Eckersly says his efforts to persuade companies to secure Web traffic shows widespread disregard for the risks of sending peoples data over the Internet without protections against interception. Most companies have no legitimate reason not to secure that data, says Eckersly. Often the security and privacy of their users is so far down the priority list that they havent even thought about doing it.

A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43 percent use no encryption at all. Last week mobile app security company MetaIntell reported that 92 percent of the 500 most popular Android applications communicated some data insecurely.

It is often difficult to tell whether an app is using encryption or not to transmit data. Web browsers show a padlock icon next to a sites Web address if it is using encryption, but there is no such equivalent for mobile apps. Manually checking whether a mobile app is securing data transfers involves inspecting network logs to examine how an app is connecting to servers.

The documents published on Monday single out Google Maps as leaking particularly useful data for surveillance purposes. Documents from both the NSA and GCHQ note how search queries intercepted from this app can reveal a persons movements. A 2008 document from GCHQ states that a system set up to intercept that data effectively means that anyone using Google Maps on a smartphone is working in support of a G.C.H.Q. system.

Google made encryption the default for its Web search last September but does not publicize which of its mobile apps use encryption. A company spokesperson told MIT Technology Review that current versions of the Google Maps app use encryption to protect data sent back to the companys servers. That suggests intelligence agencies can no longer see the places people are searching for by intercepting Internet traffic.

The leaked documents also highlight how ad targeting technology built into many apps can leak personal information. Many app companies make use of technology from third party ad companies that collect and transmit ad-tracking and ad-targeting data (see Mobile-Ad Firms Seek New Ways to Track You and Get Ready for Ads That Follow You from One Device to the Next).

That data often contains profile data about a person, such as gender, approximate age, and location. A 2012 GCHQ report details technology designed to pluck such profiles from the data transmitted by the game Angry Birds. MetaIntells analysis of the current Android version of that app found that it sends unencrypted data to AdMob, the mobile ad company owned by Google. The 2012 report also singles out ad company Millennial, which compiles profiles that can also include a persons ethnicity, marital status, and sexual orientation. A spokesperson for Millennial told MIT Technology Review that the company only gets to see data that its partners have permission to collect from their users and that ads are not targeted based on sexual orientation.

Here is the original post:
How App Developers Leave the Door Open to NSA Surveillance