The New York Times and Britain’s The Guardian yesterday published new NSA revelations that suggested ‘soft’ apps like Angry Birds could be transmitting user data accessible to government agencies. Today Rovio has denied collaborating, colluding or sharing “data with spy agencies anywhere in the world.”
However, the original articles did not accuse Rovio of that, even if they unfairly singled out the mobile games company, and its statement does little to calm security fears about mobile apps. Read more about the original story here.
The original NYT and Guardian articles said that many users are unaware of the scope of data that many apps keep and sometimes share with advertising networks. This is true, as most people don’t read the small print when they begin using ad-supported free apps. It’s not true that either developers like Rovio or the ad networks they use are colluding with the NSA or the UK’s GCHQ, but those agencies have apparently been able to access data transmitted by them.
Rovio say ,”the alleged surveillance might be happening through third party advertising networks,” but that doesn’t change anything from the user’s perspective. App developers need to make sure that the third party companies they work with are as secure as they can be.
As we wrote yesterday, there are ‘five major failures in mobile security:’
- 3rd party SDKs (including adware and analytics) cause security holes: One major risk is that some adware SDKs can perform tasks outside the original app permissions.
- Permissions bypass user consent: Apps can sidestep required permissions to complete the same behavior or add more permissions for unused functions.
- Include debug information from developer: This can contain information that can be used for targeted attacks against companies to steal data.
- Improper handling of private appdata: Some popular apps may encrypt data on its servers, but data is send through unsecure channels.
- Apps don’t apply security to user data: A lack of SSL/encryption, storing passwords in plain text, and not using expiring oAuth tokens for login.
None of this means Rovio is colluding with spy agencies, but that they are not making the data they collect secure enough to stop (or try to stop) those agencies. Angry Birds was mentioned in most articles regarding these latest NSA documents, but it was perhaps unfair of the media to single it out.
There are many worse, less secure and less trustworthy apps, and there is no evidence that Rovio willfully helped the NSA spy on citizens.
RELATED STORIES
- NSA and GCHQ collected personal information from mobile apps
- Italian company claims to make software that can secretly monitor iOS, Android and Windows Phone
- Android suffers 99% of all mobile malware attacks
[Sources: The Guardian, The Verge]
