How The NSA Is Turning Your Apps Against You

Feb 14, 2014 1:02 PM EST

In late January, leaked documents revealed that the NSA and other national spy organizations have been hard at work getting information from your smartphone. But instead of installing a bug, they just tapped into the apps already on your phone to learn everything they want to know.

An Angry Bird Told Me
According to reports, spy organizations are looking to so-called "leaky apps" to gather information. It's a term we've used quite often in our Mobile Threat Monday stories, one that Lookout's Principal Security Researcher Marc Rogers defines as "Any app which is passing any kind of sensitive information without encryption."

You might be surprised that this definition encompasses many of the apps available in both the Android and iOS app stores. That's because many of these apps use third-party advertising platforms to help monetize their apps. Sometimes you can see the ads right in the app, as in Flappy Bird. The developer gets a cut, and you get a game for free.

But even when you don't see any ads, app developers often include code from advertisers that quietly collects information about you and your device. This information is compiled and dissected by advertisers to help better target their ads. "The more information [advertisers] have about someone, the more accurate their marketing profile will be," explained Bitdefender's Senior E-threat Specialist, Bogdan Botezatu.

"For advertisers," explained Lookout's Rogers, "there's gold in predicting what to put on that will engage with users." This could be products and services that are closer to your interest, or are available in your area. If you lived in Osaka, for instance, you probably wouldn't be too interested in learning about cheap cars in Chicago.

Advertisers and marketers are typically after identifiable information—that is, some way to connect your device to you. A device's EMEI number, Apple ID, or some other identifier will do, but emails and phone numbers are particularly prized. With this information, advertisers can determine that the same person has downloaded different apps and glean how they are used on different devices. Other advertisers are more aggressive, and try to get your geolocation information, and more.

To give an example about how far-reaching advertiser SDK information can be, Botezatu compared them to the Android remote access Trojan profiled by Bitdefender. Once installed on a victim's phone, it gives total control to an attacker letting them steal contacts, access browser history, and track the victim. "Most people respond negatively to AndroRAT when I show them I can turn on the microphone," he said. "Short of that, that's what happens with most advertising SDKs."

It's not entirely clear what the NSA is using intercepted app information for, but it's likely similar to advertisers: building up detailed profiles on individuals from disparate information. Of course, it could be used in other ways. Botezatu imagines a scenario where protestors were rioting in the streets against an oppressive government. If this imaginary government had unfettered access to location information harvested by advertisers, they could determine who was in the riot and target them or their families for retaliation.

Leaky Pipes
As Rogers said, an app is only leaky if it tries to send information without encryption. Unfortunately, many of them have opted not to encrypt the information flowing from apps on your phone and on to advertiser's servers. "Anybody who is listening on the router or the network can snoop on the app data and make a copy," said Botezatu.

While we've seen instances of spy agencies snooping on routers and Wi-Fi networks, Rogers says it's a bigger issue. "Government organizations are in a position to leverage infrastructure in a way nobody else can. A bad guy can get a clutch of data, but governments can straddle the entire internet."

Sending reams of data to advertisers isn't always better than having them intercepted by the NSA. Botezatu pointed out that once data leaves your device, you have no control over it. "Those advertisers may be in a place where there is no legislation protecting your data, and nobody can guarantee that the information on those servers is secured or unreachable to hackers."

Who's To Blame
In many cases, the app's developer may not even be aware of what information is being sucked up by advertisers. Or if that information is encrypted.

Rogers says that big part of the problem is an industry misconception about what makes data sensitive. Some apps, he explained, only take a little bit of information—like a sexual preference in a dating app or part of a ZIP code in another app—without concern. Advertisers don't see this information as sensitive because alone it doesn't tell you a whole lot. But now organizations like the NSA can intercept data from hundreds of apps at once, and connect the dots. "Government organizations can correlated all that and build a complete profile," said Rogers.

There's also issues with the software development kits used by advertisers to gather this information. Botezatu explained that while there are millions of apps in all the mobile marketplaces, the number of advertising SDKs is very small. "There are about 100 powering all the applications on Google Play," he explained. "If you compromise one, you compromise a full range of applications and reach out to many more customers."

Customers (that's you and me) also play a part in this because we're actually warned by our phones that this information is being collected. When you download an app from Google Play, for example, you agree to give the app access to a range of permissions. This is information that the app can access, and actions it can carry out. "If Angry Birds is using your location, you can assume it's being used for advertising somehow, said Rogers.

How to Stay Safe
For folks like us, the options for limiting who sees our information are few. On iPhone, you can force advertisers to access an "advertising ID" which you can refresh at any time—limiting how complete a profile could be constructed. iOS also lets you provide granular permissions to information. You can allow access to your location, and then turn it off later from the Settings menu.

Unfortunately, Android has lagged behind with granular permissions. Though Google briefly introduced a control panel to let you toggle permissions on and off, it was quickly removed. This means that many users have to chose between security and getting to play with the latest app. "When I see an application that tries to collect more data than it needs, I go for another app with similar functionalities," said Botezatu.

Users can also install security software that can help monitor app permissions. Lookout says that their security app will start highlighting this information, and Bitdefender's Clueful app can help you decide whether an app is asking for too much.

Rogers concedes that "the user is far removed from what an app developer agrees to do with their advertisers." However, he did recommend that users demand that app developers provide documentation like privacy and disclosure policies.

The onus, sadly, is on developers and advertisers to start treating all user information as sensitive and encrypt it from when it leaves your phone to when its sitting on their servers. Consumers, meanwhile, need to make smart decisions about what apps they install and actively hold developers accountable. "We're hearing everyday that new things are being spied on, but at least in this one case there is an easy remedy," said Rogers.

PC MAGAZINE