Yesterday German magazine c’t published a report detailing how some big name Android virus scanning apps were sending browsing data to their servers in plain text, and that this was a serious privacy and security threat. One of the accused, AVG have responded saying that the report misunderstands how ‘safe browsing’ works, and that URL data is now anonymized.
The c’t article had these main findings: in Safe Browsing mode, many apps send visited URLs back to servers, and this data was being sent in plain text. The second finding was that on some ‘legacy websites’ (outdated, old websites), with outdated security, the URLs could include personal data such as passwords or usernames.
We spoke to Tony Anscombe, AVG’s Senior Security Evangelist at the Mobile World Congress in Barcelona. Regarding URL data sent to their servers, AVG has fixed this in the latest update, AVG AntiVirus for Android version 3.6. URL data sent to AVG servers is now anonymized. This also solves the second problem of legacy websites that add personal data to URLs. He also argued that there are very few legacy websites, so the problem anyway would be tiny.
But regarding Safe Browsing mode sending URLs to AVG servers, Tony Anscombe pointed out that this is how it works. In Safe Browsing mode, AVG checks sites you try to visit against a blacklist of known malicious addresses. The point of Safe Browsing mode is to ensure you don’t visit bad websites, so in checking this by sending URL data to servers, the app is doing exactly what you want it to.
Keeping the blacklist of malicious sites in the cloud helps to keep the app lightweight, and none of the data sent to AVG’s Linkscanner® cloud database contains personal data.
In short, AVG says that c’t magazine found a problem that’s not really a problem. The issue with old websites is very minor, and has been fixed. Safe Browsing mode, meanwhile, keeps you safe by monitoring the sites you visit: it’s a feature not a breach of security or privacy.
RELATED NEWS:
- AVG announces unified security suite “Zen”
- Telegram: “If you don’t trust us, use the secret chats”
- Adobe issues second emergency Flash Player update this month
[Source: c’t magazin, AVG]
