Revelations that the National Security Agency is tapping smartphone applications to mine personal information highlight the risk millions take every day when they play games, schedule lunch or check the weather.
Documents released by former NSA contractor Edward Snowden to the New York Times, the Guardian and ProPublica show the U.S. and U.K. have infiltrated mobile software for details about users’ comings and goings and social affiliations. Among the so-called leaky apps with the greatest privacy perils are Google Inc. (GOOG)’s Google Plus, Pinterest Inc.’s online bulletin board and “Candy Crush Saga,” the most popular game on Facebook Inc. (FB), according to an analysis by Zscaler Inc.
“Privacy is dead in the digital world that we live in,” said Michael Sutton, vice president of security research at San Jose, California-based Zscaler. “I tell people, unless you are comfortable putting that statement on a billboard in Times Square and having everyone see it, I would not share that information digitally.”
The latest disclosures from Snowden underscore how vast a treasure trove mobile apps are, and not only for the advertisers that sweep them for consumer data. Zscaler’s analysis found that 96 percent of the top 25 social-networking apps request e-mail access, 92 percent ask for access to users’ address books and 84 percent inquire about their physical locations. Sutton said most people give the apps what they want.
Applications for smartphones and tablets present a challenge when it comes to security because, unlike with computer software, most apps depend almost entirely on ads to make money.
While technology companies often encrypt what they collect to shield it from prying eyes, the advertising services they work with frequently don’t, said Kevin Mahaffey, co-founder and chief technology officer of Lookout Inc. in San Francisco.
Lookout studied 30,000 apps a day this month and found that 38 percent of those for Android systems could determine locations, that half could access the unique code assigned to a person’s device and that 15 percent could grab phone numbers.
The reach of apps, and of the networks advertisers use to pass data around, make them natural eavesdropping targets and are aiding a shift in the focus of surveillance efforts away from personal computers, Mahaffey said.
“They have a lot of valuable information and they’re everywhere,” he said. “Everyone from the NSA to Microsoft to Google see mobile as the future.”
“Uninhibited collection of consumers’ personal data by governments hacking into apps is unacceptable,” said Jon Potter, the group’s president, in the statement. “This surveillance damages our entire industry and undermines the hard work of app developer entrepreneurs everywhere.”
Jodi Seth, a spokeswoman for Menlo Park, California-based Facebook, said the company encrypts its mobile-app data and pointed to two earlier statements defending its security technologies. King.com, the London-based company behind “Candy Crush Saga,” and San Francisco-based Pinterest didn’t respond to e-mail messages sent during U.S. business hours.
The mobile-app industry, less than 10 years old, will be worth $143 billion globally by 2016,according to London-based research firm VisionMobile.
Many people aren’t aware of what their applications are scooping up, and the information is often tangential or irrelevant to an app’s central purpose.
One game that makes surprising grabs -- asking for a user’s location or a device’s unique code -- is “Angry Birds,” according to research by Jason Hong, an associate professor of computer science atCarnegie Mellon University, that was published in November. Another is Brightest Flashlight, which turns on all of a device’s lights at once, Hong found.
“Angry Birds,” whose games have been downloaded more than 1 billion times, was identified in the Snowden documents as a target of NSA spying.
Its creator, Rovio Entertainment Oy, which is based in Espoo, Finland, said in a statement that it doesn’t share data with government agencies and that any leaking of customer data is being facilitated by vulnerable advertising networks.
“In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes,” Mikael Hed, Rovio’s chief executive officer, said in the statement.
GoldenShores Technologies, the creator of Brightest Flashlight, didn’t respond to an e-mail message.
There are dozens of networks that collect and share details from apps and connect marketers to users with tailored ads. AdMob, owned by Google, and Millennial Media are the two biggest networks for Android, the largest smartphone operating system in the world.
Christina Feeney, a spokeswoman for Millennial Media, said the company doesn’t share information with government surveillance agencies. AdMob declined to comment.
The NSA sensors that capture traffic traveling across key Internet junctures are probably what allow the agency to collect mobile-ad data and look for patterns, Carnegie Mellon’s Hong said. Some ad networks pass around entire contact lists in unencrypted form, which makes them vulnerable to interception at any point along their path, Hong said.
While mobile-app data could have unquestioned value for investigators in select cases, it’s difficult to separate key signals from noise in such huge datasets, he said. “It’s unclear what signals might be useful” to surveillance agencies.
The apps documents released by Snowden, who lives in Russia, were the latest to bring to light the extent to which NSA and other agencies, including the U.K.’s Government Communications Headquarters, have targeted digital information. The U.S. has charged Snowden with theft and espionage for leaking documents to the Guardian and the Washington Post last year that unveiled the breadth of the NSA’s collection of Internet and telephone records.
The agency has defended its data gathering as essential to national security.