Angry Birds data leaks
Angry Birds was one of the apps which the NSA and GCHQ is accused of piggybacking on to steal user data.

According to the Guardian, both the NSA and GCHQ have developed capabilities to take advantage of "leaky" smartphone apps, including personal details such as age, gender and location.

The information, released by whistleblower Edward Snowden, is reportedly a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities.

Although what is leaked is dependent on what profile information a user had supplied, Snowden's documents suggest that the NSA would be able to collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, marital status, income, ethnicity, sexual orientation, education level and number of children.

Also, some app platforms allow identifying information such as exact handset model, the unique ID of the handset, software version and similar details to be transmitted.

Valid targets

Among the apps named are Rovio, the maker of Angry Birds, who denied any knowledge of any NSA or GCHQ programs, looking to extract data from its apps users, or any involvement with the agencies.

The NSA said its phone interception techniques are only used against valid targets, and are subject to stringent legal safeguards. It declined to respond to a series of queries on how routinely capabilities against apps were deployed, or on the specific minimisation procedures used to prevent US citizens' information being stored through such measures. GCHQ declined to comment on any of its specific programs, but stressed all of its activities were proportional and complied with UK law.

Research from Zscaler found that free applications often require personal information to be surrendered as they may allow a user to be monitored, for sensitive information to potentially be viewed and compromised.


Its director of security research Michael Sutton, said: "A free app wants to deliver meaningful advertisements, so the app will grab whatever it can to track that device, not the person, and if the same advertising SDK is used on many apps it can track that same device. So it can create a profile of me and deliver meaningful ads. Some people don't care about that, but some people don't like it at all as it tracks me and my behaviour."

Commenting on the leaky apps revelations, Sutton said that app store gatekeepers such as Apple, Google and Amazon focus on ensuring that malicious apps aren't included in their app stores, they tend to do a very poor job at filtering out those apps that expose users to privacy risks.

"This is in part driven by the very economy of the app store eco-system. The bulk of apps are free, but develops need to turn a profit somehow. That's generally done by embedding advertising and sharing metrics with advertisers about user behaviour, better enabling advertisers to deliver targeted apps," he said.

"While some may be fine with sharing data in order to receive ads targeted to their interests, others see it as a privacy concern and as we've recently seen, spy agencies, such as the NSA are taking advantage of the data shared by mobile applications."


Kevin Morgan, chief technology officer of Arxan Technologies said that the news did not come as much of a surprise, as in 2013 consumers downloaded over 83 billion applications worldwide, and the amount of data that each app collects from a users' phone such as names, makes and model, location information was "quite startling".

"What this demonstrates is that many application developers and owners are simply not putting enough protections in place to secure their apps, which leaves users' data vulnerable to compromise by anyone with the technical know how to get it," Morgan said.

"Users' need to be aware that applications are often designed with functionality in mind and not security and therefore need to be wary of the information they provide to an app. App developers and owners need to be incorporating security into the app from the outset with the aim of ensuring that protecting data held within the app remains one of the top priorities throughout development."

Dan Raywood is editor of IT Security Guru.

IT Security Guru