Wednesday, 8 January 2014

Android Coupons App Leaks Your Personal Information To Everyone

Image via Flickr user Tiago A. Pereira
We've looked at several apps for Android that gather, to paraphrase John Hodgman, more information than they require. We've also looked at several apps that handle that information badly, allowing it to be easily extracted or intercepted. This week, Appthority shows us an app that does both, and also transmits your information to any other server it contacts.
The Coupons App
Appthority tipped us to an app called The Coupons App currently on Google Play, which includes a suite of tools to connect you with deals on everything from restaurants to gas. But in their analysis, Appthority found that The Coupons App "continuously sends private information over the network without protecting it with encryption." This includes your device ID or IMEI number, your phone number, your email address, your zip code, and the exact geolocation of your device.
Many apps collect this kind of information—some for their own analysis and some for selling to third party ad networks. Unfortunately, Android does not give you the ability to control what information apps can access. There's only a single all-or-nothing permissions warning when you first download an app. Not encrypting the information compounds the issue, since someone snooping on the network could nab it during a man-in-the-middle attack.
Unfortunately, this is not the last of The Coupons App's sins. "The private data is sent to the server used by the app, but it also leaks the private information in the "Referer" field," said Appthority, referring to a misspelled HTML header field that identifies the address of the webpage you're currently on to the webpage you're heading toward.
Let's say you're searching for "pharmacy" and The Coupons App uses a book cover image from Amazon in the search results. When the app communicates with Amazon to get that image, it included a lot of your personal information in the exchange.  Here's Appthority's example, bolded for emphasis. Note that the email address and phone number are clearly visible.
Appthority
Click for a larger image
Appthority added, "if the app was properly encrypting the link to their servers with the private data (ssl), the referer would not be set or sent to external web sites." Appthority notes that The Coupons App is possibly leaking this information to other servers unknowingly.
How Can You Stay Safe?
The Coupons App underlines one of the biggest problems with mobile security: That the end user (you) doesn't always know what potentially dangerous activities an app might be carrying out. Even if you read the permissions requested by The Coupons App, you wouldn't know why it was harvesting information or that your data was being leaked to other servers.
Furthermore, the limitations of Android don't allow you to control what apps can access certain information—like your current location. In the case of The Coupons App, this means that simply using it, and others with similar issues, puts your information at risk.

No comments:

Post a Comment