Dangerous apps – the spies in the smartphone

11.03.2015 | Information Technology: Mobile apps are constant companions for users of smartphones and tablets. Normally their potential is only unlocked when user data is entered. If these data are not sufficiently protected, they can be harvested by hackers and others who collect data without authorisation.

Mobile apps are constant companions for users of smartphones and tablets. Normally their potential is only unlocked when user data is entered. If these data are not sufficiently protected, they can be harvested by hackers and others who collect data without authorisation. Often it is the most popular apps in the stores that are affected. The mobile security experts and IT security service providers from mediaTest digital and TÜViT (TÜV NORD GROUP) in particular warn against transfer of non-encrypted confidential information and infringements of data protection law.

Every day in the mediaTest digital test laboratory, apps for all the operating systems in general use are tested for data security and adherence to the provisions of the Federal Data Protection Act. Using the example of three popular apps – “DFB” (iOS), “wetter.de” (Android) and “Weight Watchers” (Android) – the experts now describe serious instances of security and data protection infringement.

DFB (iOS), Version 2.4.3

Football fans can receive information and news about German football teams and leagues via the official DFB app. This app, from iOS, is certainly helpful in keeping up to date with footballers and the matches they play, but it is very problematical from the point of view of security: password, username, first name, second name, address, telephone number and email address are transferred to the app provider without encryption. In particular, unencrypted transfer of the password carries risks which extend far beyond the individual app. All accounts where the same password is used are put under threat.

The experts from mediaTest digital recommend users of the DFB app for iOS to delete their account and to de-install the app. After this, the passwords for all services which use the same password should be changed without fail. The gap in security of the DFB app is unfortunately not unique. However, although consumers can hardly recognise if an app transfers passwords without encryption, users can create greater security for themselves by following a few simple rules: the same password should never be used for several services. In addition, passwords should be regularly changed. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) recommends that passwords should be at least 12 characters long, and should include upper and lower case letters as well as symbols.

wetter.de (Android), Version 2.0.2

The Android app “wetter.de” is the mobile version of the weather report and forecasting service from RTL interactive. Whilst the iOS app already mentioned behaves in a relatively “innocent” way and transfers only the location in unencrypted form, the Android app is quite a different matter: here, the unique IMEI (International Mobile Equipment) device code and precise location data are transferred to an advertising and analytics network; the fact that searches and the Android advertising ID are transferred without encryption is almost trivial in comparison. The IMEI acts as a “fingerprint” for mobile devices. It plays a role, for example, in the blocking of stolen or lost mobile phones. Unencrypted transfer of the IMEI number to outside servers – in the case of wetter.de to an advertising and analytics network – means that user profiles can be generated by unauthorised third parties.

mediaTest digital warns that it is easy for hackers to steal the IMEI if it is not encrypted. Unencrypted transfer of location data is also not without problems. In view of these lapses in security, the advice is not to use the “wetter.de” app for Android. Seen as a whole, only a few app providers make the effort to encrypt localisation data. The experts from mediaTest digital and TÜViT therefore consider that location-based information services should be avoided if at all possible.

Weight Watchers (Android), Version

Many people wish and intend to lose weight by using diets and fitness programs. Whilst Weight Watchers is very popular as a provider of diet plans, the Android app is problematic as regards data protection and security. It was revealed in the security test that the Android device ID is transferred unencrypted into an advertising network. In addition, the app communicates both location data to the provider and unencrypted searches to a map service. Unencrypted transfer of searches and food entries to an analytics network also takes place. Weight Watchers for Android is one of many apps that uses the device ID for advertising purposes instead of the advertising ID, as specified by Google.

Use of the advertising ID has two decisive advantages for users: it is possible to opt out of use of the advertising ID for interest-based ads in the device settings. In addition, the advertising ID can be reset at any time. In the case of the device ID, this can only be achieved via a circuitous route. By passing the device ID to an advertising network, the Weight Watchers app violates the “Google Play Developer Program Policies” and ignores the right of users to have their data used in an appropriate way.

TÜViT and mediaTest digital at CeBIT

At this year’s CeBIT, TÜViT and mediaTest digital explain how data protection and security can be guaranteed for mobile devices in the corporate context. Protection of sensitive data plays an absolutely vital role in this: “Those responsible for mobile devices and CIOs must transfer their usual IT safeguards, including firewalls and device management, to the mobile sphere. That sounds easy enough, but is actually a labour of Hercules”, says Sebastian Wolters, CEO of mediaTest digital. In cooperation with TÜViT, the Hanover-based company operates the Application Security Center, a platform for the security of mobile IT infrastructures. “Inclusion of mobile devices in the IT infrastructures whilst maintaining the security standards of the organisation is a huge challenge“, adds Antonius Sommer, General Manager of TÜViT.

The two providers will be presenting their solutions for secure enterprise mobility and application management at CeBIT on their joint stand, L23, in Hall 6.

About TÜViT

TÜV Informationstechnik GmbH – known as TÜViT – with headquarters in Essen, specialises in testing and certification of IT security and IT quality. As a “Trust Provider”, TÜViT supports organisations in the implementation and fulfilment of special requirements, legislation and guidelines (compliance). Testing and certification of security and quality characteristics of IT products, systems, services and infrastructures is based on recognised criteria and standards (e.g. Common Criteria or ISO/IEC 27001). The TÜViT portfolio of national and international accreditations is unique on the German market. With the “TRUSTED MOBILE AUDITS“, the experts from TÜViT test and evaluate the mobile infrastructures of companies and other organisations, internet services from service providers and individual mobile solutions. This integrated approach means that weaknesses are revealed, not only within the mobile core disciplines (e.g. within the mobile device management), but also in relation to the networking of the systems among themselves. www.tuvit.de

About mediaTest digital

mediaTest digital is the European market leader when it comes to mobile security solutions in the mobile application and enterprise mobility management sector. Founded in 2012, the Hanover-based company is today securing more than 600.000 mobile devices for business clients like Lufthansa or Deutsche Bahn on a worldwide scale. Altogether, 10 of the 25 largest German companies and a large number of small and medium-sized enterprises from areas such as banking, automotive, energy supply and commerce make use of the services provided by mediaTest digital. As the first integrated “software as a service” solution, “APPVISORY” makes it possible to operate app risk management in all areas of a company or organisation. Thanks to standardised integration into all widely-used mobile device management systems such as AirWatch or MobileIron, APPVISORY is the only solution available on the market which can be seamlessly embedded in every mobile IT infrastructure and applied down to the device level.

In cooperation with TÜViT (TÜV NORD GROUP) mediaTest digital operates the “Application Security Center” enterprise mobility management portal www.appsecuritycenter.com.

Carolin Roterberg

Zukunftstechnologien, IT

Share this page