Personal mobile devices continue to invade the business sphere, making good privacy practices more important than ever. The smallest leak can lead to hacks, stolen business data, and crippling attacks.
Leaked data comes from a lot of places, and cloud security company Zscaler is giving us one more thing to worry about: mobile apps.
A report from Zscaler reveals that not only are iOS and Android apps leaking personal data, but it's data that can be a serious risk for businesses. Even something that seems as innocuous as device metadata can be used to leverage an attack.
The three big things being leaked
Mobile apps need access to different parts of your smartphone depending on what they do. Even benevolent apps are guilty of leaking sensitive data, which Zscaler says comes in three categories: device metadata, location data, and personally identifiable information, or PII.
At first glance it seems natural to think of PII as the most dangerous category of leak, but it only amounts to around three percent of leaks on Android devices and less than one percent on iOS. The vast majority of leaks are metadata, which pose a problem because that data is unchangeable.
MACs, UDIDs, and GSM IMEIs are all fixed from the moment a device is built. They can be used to steal other important data from phones, cause targeted DoS attacks, remotely root SIM cards, and generally compromise a device.
iOS vs. Android: Which is worse?
One thing needs to be made clear: there aren't very many instances of these kind of privacy leaks in the grand scheme of things. The report is based on 45 million instances of mobile devices interacting with the cloud and only 200,000 leaks: In other words only 0.4 percent of transactions are leaks.
Android, overall, is responsible for less of the total traffic and fewer total leaks: .3 percent of Android's 20 million transactions resulted in compromised information. iOS, on the other hand, saw .5 percent of its 26 million transactions leaked.
SEE: Android Security Bulletin October 2016: What you need to know (TechRepublic)
That .3 vs .5 might not seem like much, but the difference is substantial: if Android was leaking the same .5 percent of transactions it would still be responsible for 30,000 fewer than iOS.
Here's the catch, however: Android is an overwhelming problem in the United States, where more than 50 percent of Android leaks originate, while iOS device leaks outside of China are scattered at best. iOS doesn't pose nearly as great a security risk for US companies: It's Android where Americans need to be wary.
What businesses can do
According to an IBM report cited by Zscaler, 50 percent of mobile app developers allocate absolutely no budget to testing for security flaws. With numbers that high it's essential that businesses don't rely on software companies to secure their own platforms: Steps have to be taken internally as well.
All it takes is one big hack to leave a company picking up the shattered pieces of an enterprise. Don't let that be you: Keep security at the top of your IT department's priorities.
The 3 big takeaways for TechRepublic readers
- Zscaler revealed that many mobile apps are leaking sensitive data that can be used to hack and disrupt networks.
- Over half of Android leaks originate in the US and only a few percent of iOS ones do the same. Android is a far greater security risk for American companies.
- 50 percent of app developers ignore security testing, so don't rely on your cloud providers to keep sensitive data secure: Make sure security starts internally to minimize threats.
- 10 mobile security myths that need debunking (TechRepublic)
- The state of mobile device security: Android vs. iOS (ZDNet)
- Beware: iOS 10 security flaw makes cracking encrypted backups 2,500 times easier (TechRepublic)
- International mobile data networks still a serious security problem (ZDNet)
- How strangers can hack the phone in your pocket (CBS News)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.