The internet was abuzz yesterday with recently released information that the NSA has been collecting personal information through security holes in users’ mobile apps.
That’s right. Turns out the information that Angry Birds used to market you ads has also been deemed worthy of attention by the NSA for further metadata.
Before sounding the alarms for another example of government overreach, consider that much of that information was in complete, unencrypted view of anyone who wanted to take a look.
Fresh reporting from Tim Simonite of Technology Review states:
“This is evidence of negligent levels of insecurity by app companies,” says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. Eckersly says his efforts to persuade companies to secure Web traffic shows widespread disregard for the risks of sending people’s data over the Internet without protections against interception. “Most companies have no legitimate reason” not to secure that data, says Eckersly. “Often the security and privacy of their users is so far down the priority list that they haven’t even thought about doing it.”
Google Maps was reported to have been a particularly useful target for metadata. Until last September, encryption for Google searches was not the standard and the company still does not publicly state which of its apps use encryption.
The lack of public knowledge about app encryption can be particularly troubling. Whereas websites display a padlock icon next to a web address when the site is secure, apps give users no such signal that a user’s data is being encrypted.
Simonite highlights a few reports to show App-makers disdain for secure communications:
A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 per cent used encrypted connections exclusively, and that 43 per cent use no encryption at all. Last week mobile app security company MetaIntell reported that 92 per cent of the 500 most popular Android applications communicated some data insecurely.
After quickly reassuring that they don’t cooperate with the NSA, Rovio CEO Mikael Hed said in a statement, “In order to protect our end users, we will, like all other companies using third party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes.”
Hed’s statement, while it shifts blame, is at least a tacit admission that Rovio has no idea if or how it’s 3rd party vendors secure user data.
With such little attention paid to security by app developers, it is no surprise that major mobile apps continue to be prime targets of hackers and government agencies. It was due to this (almost arrogant) lack of concern, after all, that Snapchat was able to be hacked so easily.
Business Insider Emails & Alerts
Site highlights each day to your inbox.