One area that often flies under the radar as a type of risky mobile app is the risk posed by leaky apps—apps that may be unintentionally exposing sensitive information. This isn’t just a theoretical issue; it’s a challenge that continues to grow as the mobile landscape becomes more complex and integrated with our daily operations.
What are leaky apps?
Leaky apps unintentionally expose sensitive data due to issues like poor coding practices by app developers, outdated security protocols, or misconfigurations. For example, an app might fail to encrypt user data, allowing personal information, location data, or interactions with other apps, jeopardizing your privacy. These flaws create gaps through which personal information, location data, or interactions with other apps can slip out unnoticed, putting user data at risk.
The risks of leaky apps
At DEF CON 32, Ryan Johnson, our Principal R&D Engineer, presented ground-breaking research on the Android ecosystem. He demonstrated how leaky apps are more prevalent than we often realize. His research revealed that app usage data in Android devices, when paired with location tracking, can be exploited to profile user data, track habits, and even predict behaviors. And it’s not just about ad-targeting—your digital footprint is being exposed in ways that could compromise your privacy or company data.
App usage and location data leaks
To build on this research, Johnson and his team uncovered privacy leaks among major Android device manufacturers, including Samsung, Nokia, and Transsion brands such as Tecno, Infinix, and Itel. Furthermore, vendors utilizing pre-installed Qualcomm apps for performance monitoring were also identified as having vulnerabilities. These leaks compromise sensitive data, potentially enabling attackers to infringe on privacy and track users without their awareness.
While the leaked data doesn’t provide exact GPS coordinates, it includes key details like the Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC), and Cell Tower ID (CID). This information can be cross-referenced with public databases to map it to the GPS coordinates of the connected cell tower, enabling attackers to triangulate user locations and track behavior over time.
App usage data offers valuable insights into user behavior. Yet, when paired with location data, it transforms into a powerful tool for organizations to improve their customer experience with targeted advertising campaigns. However, not all data collection is conducted responsibly; at times, data may be sold to third-party companies, leaving its ultimate destination uncertain.
Essential Risks for Security Teams to Consider:
- Data Exposure: Profiles can be crafted to target users based on their app interactions and physical location, making advertising more personalized. However, it’s crucial to be aware that bad actors and hackers can exploit this information, making it easier to take advantage of unsuspecting users.
- User Profiling: Leaky apps can expose your location, contacts, and even behavioral patterns, leading to data misuse or breaches. These data leaks can be compiled to form detailed profiles of users, potentially creating substantial security risks.
- Widespread Vulnerabilities: Leaky apps have been identified across iOS and Android platforms, showing that no single vendor or system is immune to this risk. App developers must integrate security coding practices throughout the app development life cycle to safeguard user data and uphold their organization’s trustworthiness.
Safeguarding this information is essential for those relying on mobile apps to secure operations and comply with data privacy regulations, ensuring the safety of their workforce. It’s essential to recognize that certain mobile threats can interact with one another, such as a colluding app. In Johnson’s research, a pre-installed app on the mobile devices analyzed and collaborated with other vulnerable apps. This resulted in sharing sensitive data and amplifying the security risks far beyond what a single weak app could pose.
Why mobile app intelligence matters
At Quokka, we’ve made it our mission to safeguard the mobile ecosystem. With extensive experience scanning millions of mobile applications and uncovering countless security and privacy vulnerabilities, we’ve developed a perspective on mobile security intelligence that is both deep and actionable.
Why should you care? Because proactive mobile threat intelligence allows organizations to anticipate and mitigate risks before they escalate into significant breaches. With leaky apps exposing sensitive user data in iOS and Android devices, taking a proactive approach to app security is no longer optional; it’s essential.
Key Benefits of Mobile Security Intelligence:
- Proactive Risk Mitigation: Identify and mitigate mobile risks—like leaky apps—before they evolve into critical threats.
- Informed Decision-Making: Equip your team with actionable insights on mobile security threats to make better-informed decisions.
- Strengthened Ecosystem: By continuously improving security measures, organizations can secure their mobile environments and reduce exposure to threats.
Shaping a safer mobile future together
At Quokka, we see ourselves as more than just mobile security experts—we’re partners in building a safer, more secure digital future. Through the strategic use of Contextual Mobile Security Intelligence, we are closing the gaps in iOS and Android devices that leaky apps expose, and helping you take control of your mobile security strategy through comprehensive data and security.
What You Can Do Now:
- Stay Informed: Keep up with our ongoing cybersecurity awareness series to stay aware of the latest mobile security trends.
- Take Action: Regularly review app permissions, update apps, and educate your team on app security to minimize risks across both iOS and Android devices.
- Engage with Quokka: Our team is here to provide expert guidance and help you strengthen your mobile security defenses.
Don’t let leaky apps compromise your sensitive data. With Quokka’s mobile security intelligence, you can proactively protect your organization and user data from hidden threats. Ready to secure your mobile ecosystem? Contact us for a personalized security assessment and start safeguarding your business today.
