Using Apps? Why Your Password and User Name May Not be Safe

We enter everything into apps these days. Usernames, passwords, personal data… But what if you were told your smartphone may be giving information to third parties about you?

According to a recent study, that’s exactly what’s happening. Ten percent of mobile apps leak passwords, the study from Zscaler found. Additionally, the study revealed that 25% of apps reveal personally identifiable information and a full 40% communicate with third parties. This is dangerous news for a world where small business owners are beginning to use third-party apps for work duties.

Understanding how important protection of data is for businesses, Zscalar has released the Zscalar Application Profiler (ZAP). ZAP scans iOS and Android devices and analyzes security risks. In addition to workplaces moving toward mobile devices and bringing their own devices into the workplace, many businesses are outsourcing app development to third-party companies that may not be as careful about protecting data.

“While malicious apps grab headlines and have a greater impact on overall risk, vulnerable apps are far more prevalent,” said Michael Sutton, ZAP developer and VP, security research, Zscaler. “We understand the importance of finding out the security risk users face before they download an app. It is far better to proceed with caution and minimize any security threat by running a quick and simple report, than to have to deal with the aftermath of a security breach, whether on a personal or corporate device.”

One of the best things about ZAP is that it doesn’t require a security expert to deploy. You’ll merely need to download a SSL certificate to your phone, which is available here. You can download it by scanning a QR code with your phone or by navigating to the site with your phone’s browser and downloading it through a link. This SSL certificate provides ZAP with the information they need about the apps you’re accessing every day.

You don’t have to download the SSL certificate to get information about an app, though. To access ZAP’s database of apps that have been scanned before, simply go to your web browser and visit http://zap.zscaler.com/. Paste or type the URL into the box and ZAP will do its work, scanning for security leaks. Or you can type in the name of the app with the word iOS or Android (depending on your device’s operating system). ZAP looks for the following issues in your favorite apps:

  • Authentication flaws–Apps that inadequately encode login information.
  • Device identification–Apps that give away a user’s device information, including the Unique Device Identifier (UDID).
  • Personal information leakage–Apps that leak an individual’s personal information, including e-mail addresses, phone numbers, or street addresses.
  • Analytics and advertising–Apps that expose information to analytics services and sites for advertising purposes.

ZAP works by first capturing HTTP traffic, then analyzing that traffic to find security and privacy holes. Once your app has been scanned, you can access detailed data about what that app was doing in the background while you were enjoying using it. This allows you to make the decision about whether this information leak is acceptable enough to keep using the app.

As small businesses make the decision about whether to allow employees to download apps onto work devices, ZAP can give you the concrete information you need to prohibit certain apps. With an interface that’s easy to deploy, ZAP can be one of the best free tools your small business uses.

avatar

About Stephanie Faris

Stephanie is a freelance writer and young adult/middle grade novelist, who worked in information systems for more than a decade. Her first book, 30 Days of No Gossip, will be released by Simon and Schuster in spring 2014. She lives in Nashville with her husband.