Using apps and mobile websites is normal for smartphone users, but applications you trust could be leaking your personal information — and it can be surprisingly easy for a hacker to find it.
“There are so many very popular, recognizable brands out there producing apps and websites that are leaking personally identifiable information,” said Michael Covington, a vice president of product for mobile security company Wandera.
The global app business is now worth over $140 billion a year, according to the App Association. Every hour, more than 10 million apps are downloaded, according to analytics service company App Annie.
More than 200 apps were found to be exposing sensitive consumer information, with close to 60 percent of the leaks coming from news, sports and shopping apps. The study was released in December by Wandera.
“I as an information security professional was not aware that this many brands were not protecting that information,” said Covington.
Another nearly 30 percent of leaks came from travel, entertainment, lifestyle and technology applications and mobile websites. Adult content was one of the most insecure categories. Eighty percent of the top 50 adult services apps and mobile websites leak personal information.
“Maybe it’s leaking your username, your password and your credit card information just by you hitting a single button … anything that they may have put into that tool is vulnerable,” Covington said.
The most commonly exposed data is usernames and passwords, but sometimes credit card or Social Security numbers are leaked too.
“If you think about the combination of a username and a password, that’s all that you need as an attacker to get access to everything else that might be in an account,” Covington said.
Apps and mobile websites sometimes collect information from smartphones and tablets, such as the user’s location.
The risk is even bigger for business apps. Wandera found that a meeting room software provider’s website and mobile app was leaking usernames and passwords. While that may seem innocuous, once cybercriminals accessed the service, they were able to reserve rooms and get security access to the building.