The Olympics are well underway and the world is glued not just to their TV sets, but also to their mobile devices. Increasingly, we get more of our news and entertainment via mobile, so it makes sense that people will gravitate to new apps to catch all the action during the Olympic season.
Appthority’s Enterprise Mobile Threat team analyzed some apps that might be popular during the Olympic season to see how they were handling sensitive data. The team picked apps for watching Olympic events or following scores.
In all, the team discovered that many of the popular apps are not properly protecting Personally Identifiable Information (PII). This type of behavior obviously puts consumer data at risk, but increasingly, as phones and apps are used in both personal and work settings, also puts corporate sensitive data at risk. What’s worse, for those traveling to Brazil for the games, insecure data handling could put them in physical danger as well.
Following are our findings on three apps which exhibited risky behaviors:
Mobile App: ESPN – Get scores, news, and watch live sports | (com.espn.ScoreCenter) Version 5.1, iOS
Sends PII to 3rd Parties (IDFA/Device Identifier) – Many apps use the IDFA//IMEI (Unique Device Identifiers) to track users. In this case, the app not only accesses the IDFA/IMEI, but it also sends it to 3rd parties without encryption. This can be risky as, in the past, we’ve seen vulnerable apps and services that track users’ with device identifiers and then expose users’ personal and sensitive data. So, if someone is sniffing traffic on an unsecured Wi-Fi and sniffs out your IDFA/IMEI while using ESPN, they could then try to leverage weaknesses in other back end services to find more information on you based on the same IDFA.
Discloses File Paths to Source Code – This is mainly a risk for the developers, as it’s a sloppy programming practice and exposes developer information and potentially the developer’s PII to would be attackers.
Sends Sensitive Data Unencrypted (IDFA/IMEI) – IDFA/IMEI is PII. If it needs to be sent, this data should always be encrypted. Often the developer might not even know they are collecting it as it could be from a 3rd party library or SDK (software developer kit) being used by the app.
Mobile App: NBC Sports | (com.nbcuni.com.nbcsports.liveextra), Version 4.6.6, iOS
Sends data unencrypted – app is not encrypting all traffic. This is not following best coding practices
Sends PII (IDFA) unencrypted – Many apps use the IDFA/IMEI (device identifiers) to track users. In this case, the app not only accesses the IDFA/IMEI, but it also sends it without encryption. This can be risky as we’ve seen vulnerable apps and services that track users’ with IDFA/IMEI and then expose users’ sensitive data. So, if someone is sniffing traffic in an unsecured Wi-Fi and sniffs out your IDFA while using NBC Sports, they could then try to leverage weaknesses in other back end services to find more information on you based on the same IDFA. We observed the NBC Sports App sending the IDFA unencrypted to multiple Web Advertisement and tracking services unencrypted.
Mobile App: Toilet Finder | (com.betomorrow.ToiletFinder), Version 2.7 iOS
Sends PII to 3rd Parties (geolocation)
Sends Sensitive Data Without Encryption (geolocation) – GPS location is considered PII as it is a highly accurate representation of where a user lives, works, and plays. While many apps might need a user’s location to recommend nearby activities or locales, a coarse location (general vicinity) should be enough. Further, if the location is to be shared, it should always be encrypted. This is especially true in high risk areas like Brazil where kidnappings occur regularly.
Here are the technical reports that show these apps are sending the IDFA unencrypted. The IDFA for the device with the apps is [Appthority Device].
ESPN: is sending the IDFA without encryption to an ad service (3rd party Ad Network, which is built into the app in the form of an SDK (software developer kit). The Ad Network’s IP address is (http://18.104.22.168:80) and SSL = False means it’s not encrypted traffic.
Source Destination 1 Sent Rec’d SSL
XXX.XX.XXX.XXX:XXXXX 22.214.171.124:80 354 315 False
Reputation: 96, Category: Business and Economy
NBC Sports: is sending the IDFA to two different servers, both unencrypted (SSL = False). One is a low reputation Web Advertisement and the other is a higher reputation “Business & Economy” site.
Source Destination 1 Sent Rec’d SSL
XXX.XX.XXX.XXX:XXXXX 126.96.36.199:80 475 402 False
Reputation: 60, Category: Web Advertisements
Source Destination 2 Sent Rec’d SSL
XXX.XX.XXX.XXX:XXXXX 188.8.131.52:80 6010 5845 false
Reputation: 92, Category: Business and Economy
According to http://www.donottrackplus.com/trackers/imrworldwide.com.php, destination #1 is: “a domain used by Netratings Site Census which is an analytics company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web. Over time, sites like imrworldwide.com can help make an online profile of you usually including the sites you visit, your searches, purchases, and other behavior. Your profile can then be exchanged and sold between various companies like imrworldwide.com as well as being sold to other advertisers and marketers.”
As shown, both of these apps share unique identifier data (IDFA/IMEI) unencrypted. An example of why protecting IDFA/IMEI is so important can be seen with a recent trueCaller caller ID app flaw. According to Cheetah Mobile, “Truecaller uses a devices’ IMEI number to assign identities to its users, which means that anyone with access to a device’s IMEI could tamper with your personal information without explicit consent.” Access to profile info and the ability to change it could be very valuable to a would be hackers/thieves/kidnappers, etc.
Why IDFA/IMEI is considered PII
Apple used to allow apps to track users through their UDID, a unique device identifier generated from hardware attributes (serial number, MAC address, etc). This process, similar to tracking “cookies” on a website, allowed developers and mobile ad companies to track users across multiple apps, even if the user had different usernames & passwords across the apps. However, unlike cookies, a user can not reset their UDID, so they had no way of ever hiding or shielding their identity. A few years ago, Apple aimed to improve the issue with the release of “identifier for advertisers” (IDFA). After a grace period, Apple stopped allowing developers to access the UDID and instead allowed them to collect the IDFA. Unlike the UDID, the IDFA can be reset. However, it’s not as simple as simply “deleting cookies” from a web browser. In order for a user to reset their IDFA, they’d have to go to their phone settings and select “Erase All Content & Settings”. Because this is a major step, not many people do this, so the IDFA is effectively still a unique identifier and considered PII. Thus, it should always be treated as sensitive data and encrypted both at rest and in transit.
So, If you have employees closely following the Olympics on their mobile devices at home or in Brazil this summer, it might be a good idea to warn them of some potential dangers. As we’ve seen, many Olympics-related apps are not properly protecting sensitive data when they share it with 3rd parties like Ad Networks and Data Brokers. Because of this, it’s probably not a good idea to use these apps on insecure or public Wi-Fi networks (like at a local coffee shop). This is especially important for anyone traveling to Brazil, which has been in the news for physical security risks like kidnappings.
Image credit: http://www.oakhurstumc.com/