Security Threats from Mobile Apps Revealed

Zscaler, a secure cloud gateway solutions provider, has released results of analysis from its research arm, ThreatLabZ. It’s not pretty.

The study reveals that “up to 10 percent of mobile apps expose user passwords and login names, 25 percent expose personally identifiable information, and 40 percent communicate with third parties.”

The data was gathered using the company’s Zscaler Application Profiler (ZAP), a free end-user Web site tool for assessing mobile apps for security risks.

According to a news release from the company, “there are over one million mobile applications, and more than 1,500 new apps being released every week. Users who download these apps, even from trusted sources, assume security measures are built in.”

The ThreatLabZ team’s examination of “hundreds” of applications found that “many popular apps leave user names and passwords unencrypted, while others are insecurely sharing personal information -- such as names, e-mail addresses, and phone numbers -- as well as communicating with third parties, including advertisers.”

Zscaler’s online tool, Application Profiler, lets users enter the URL for any Apple iTunes and Google Play app to receive an evaluation of the security and privacy risks the application poses. The company also provides an overall risk score. That’s the big picture, but ZAP can get more personal: the company says “users can also use ZAP to scan traffic from an app installed on their device to see whether their own data is being exposed.”

The application uses crowdsourcing to build its database: queries of apps not already in the database trigger analysis by ThreatLabZ.

-- James E. Powell
Editorial Director, ESJ

Posted on 10/10/2012