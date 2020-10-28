Alicia Richards and Senior Investigator Kendra Nichols discuss the state’s COVID-19 tracking app with security expert John Sancenito.

Sancenito is the President of INA, a Harrisburg based security consulting firm. INA recently investigated the COVID PA Alert app to see if it shares a user’s location or accesses personal information on the user’s phone.

They also discuss what information other apps may be accessing on your phone and how to check your privacy settings.

Sancenito also shared the dangers of application permissions.

What are application permissions and why do apps need them?

Permissions are granted by developers to allow an application to directly interact with components of the device’s hardware and software. There are a wide variety of permissions, some of which may include 1) reading data from other applications on the device and 2) tracking a user’s location. While permissions are required for basic app functionality, some applications were recently found to collect and share user data without the user’s knowledge. As a result, many users are growing more concerned about the applications they have on their devices.

What happens if an application uses have too many permissions?

If I were to hire a plumber to fix a leaky faucet in my kitchen, I would only allow the plumber to access the kitchen. Why would you give them access to your whole house? Similarly, why would you grant an application permission to access all components of your device when it likely has a very specific purpose?

Users should be concerned when an application has permissions that are not essential for the application’s functionality. For example, an application that works as a Body Mass Index (BMI) calculator that collects and shares user data will typically need access to the Internet. This is so the application can send the user data and store it on a remote server. This seems harmless enough. However, if that remote server suffers a data breach, it could potentially result in critical security risks for the public, such as identity theft.

Incorrectly or excessively assigned permissions were identified as the top mobile application security risk in 2016 (via “OWASP Mobile Top 10”). So imagine allowing that plumber free-roam of your house just to fix a leaking faucet in your kitchen.

Are there hidden permissions?

Yes, and due to a variety of benign and malicious reasons. Whether it’s simply a developer forgetting to publicly disclose all permissions the application uses, or a malicious app that requests permissions without the user’s knowledge to steal sensitive information.

Applications can use these hidden permissions to collect data about the user without their knowledge and share it with Big Data companies. For example, if you find yourself browsing a shopping app for a specific product then later see an advertisement for the same product, then you have just seen a perfect example of this type of data sharing.

Why is information on consumers collected and shared with Big Data companies?

Many large companies, like Google and Facebook, share and collect user data in an attempt to improve marketability, customer experience, and even security.

Google, as an example, collects mass amounts of data to improve a consumer’s ad experience or web browsing experience. Some banking institutions collect data on customers (i.e. Social Security Numbers, DOBs, and even voice recognition data) to further improve customer security with features like Multi-Factor Authentication.

What are some applications that share my data?

There are many applications that collect and share user data. Some of these applications are used every day by most smartphone owners. These apps include Instagram, Google, Amazon, WhatsApp, Flickr, TikTok, and many more.

Facebook in particular, and any organization owned by Facebook (such as Instagram), is widely known to share user data. For example, when a user posts an image to their Facebook wall, Facebook collects data from the image and uses artificial intelligence (AI) to tag details of the image in an attempt to improve customer experience.

If I were to post an image of my dog on Facebook, Facebook would use AI to detect if the object in the image was a dog, and create a tag stating that there’s a dog in the image. So if my friend were to later search “dog” on Facebook, the image of my dog with that tag would most likely appear. This is to improve customer experience on Facebook.

Other known applications that share user data are listed below:

Azumio Inc

FaceApp

Flo Health

OkCupid

Realtor.com

Talking Tom

Tinder

Tumblr

Twitter

How can I protect myself?

First and foremost, check your device’s permission manager frequently. This will tell you which applications have access to which permissions. Also, if you have the ability to turn off certain permissions you feel are unnecessary, do so!

I would highly suggest any user, who is concerned about their privacy, review the permissions requested on both the application marketplace (e.g. Apple App Store, Google Play Store) and the device’s

permission manager. When comparing the two, if you notice any discrepancies, make a judgment call on whether or not you need the application. I would also suggest reviewing the developer’s privacy settings thoroughly to determine any potential misuse of user data.

Keeping your devices and applications on your devices updated is key to securing your data. When an application is available, it is likely patching a weakness or security vulnerability.

If you are running iOS 14 (e.g. iPhone, iPad), you have the option of turning off user “Tracking” on the device. This will prohibit apps from requesting to collect information used to track you. You may also notice a small green or orange dot near the top of the screen on your iOS 14 device when making a call or using an app. This means your camera (green dot) or microphone (orange dot) is currently in use and serves as a visual reminder that those components are active.

Lastly, I would simply recommend performing an audit of all the applications on your device. If you are concerned about the application and no longer use it, it can and should be deleted. Often users keep outdated or forgotten applications on their device without even knowing it. This can significantly increase the attack surface for potential hackers.