Security researchers are warning of a rise in mobile apps leaking user privacy data, including device metadata, location and personally identifiable information (PII). In a new report analyzing mobile privacy trends, researchers at Zscaler revealed both Android and iOS users could be left vulnerable to targeted denial-of-service attacks, phishing and even physical tracking. In the last quarter, the firm said it detected more than 45 million transactions related to mobile devices through its cloud where some form of privacy data was leaked. Of the 26 million transactions originating from iOS devices and their apps, Zcaler found that 0.5 percent leaked user data. Android devices and apps, on the other hand, made up about 20 million transactions, with approximately 0.3 percent resulting in leaked privacy-related information. In both instances, the majority of this data (72 percent for iOS and 58 percent for Android) was related to device metadata, in which apps sent identifying information to their server or ad-servers in clear text. Zscaler noted that this information, such as a device’s unique ID or information about its network and software, could be leveraged for tracking the device and crafting targeted attacks. Another high percentage of leaks – 39 percent for Android and 27 percent for iOS – involved a user’s geo-location, which provides exact latitude and longitude coordinates, said Zscaler. Lastly, the remaining percentage of leaks (only 3 percent on Android and less than 1 percent on iOS,) exposed users’ PII data. The report also noted the geographic distribution of leaks, where a whopping 70 percent of leaked data was traced back to iOS devices in China and 20 percent to devices in South America. The majority of leaked data originating from Android devices came from the US (55 percent), followed by the UK (16 percent) and China (12 percent).
“These statistics demonstrate that significant amounts of personal data can be leaked simply by tapping into an organization’s traffic; in our cloud alone we saw nearly 200,000 examples of such leaks,” added Zscaler. “All that leaking data can be leveraged for more sophisticated attacks.”
The company urges organizations to take steps to protect their users and the broader network infrastructure and data assets. “[Organizations] should be applying strict MDM policies and educating employees about app security in an effort to stave off any kind of data loss or security breach,” recommended Zscaler.
