What’s in your apps?? Lessons from the Los Angeles / Weather Channel app lawsuit.

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

The City of Los Angeles has sued to stop the operator of The Weather Channel’s mobile phone application from allegedly “covertly mining the private data of users and selling the information to third parties, including advertisers.”

“We’re acting to stop this alleged deceit,”  Los Angeles City Attorney Mike Feuer said Friday in a statement. “We allege TWC (The Weather Channel) elevates corporate profits over users’ privacy, misleading them into allowing their movements to be tracked, 24/7.”

According to CNN, defendant TWC Product and Technology, a subsidiary of IBM, disputes the claims. “Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously,”  IBM spokesman Saswato Das told CNN.

What’s in your apps?

Without commenting on the case itself, the dispute reinforces a key question in enterprise mobile security: what’s in your apps??  While Zimperium’s zIPS solution provides the best protection against active mobile attacks, one of the other products in our portfolio ( z3A) gives even greater visibility into the risk of the applications installed on users’ devices.

Zimperium’s z3A (advanced app analysis) continually evaluates mobile app risk across company employees and their devices. z3A provides intelligent insight into the apps installed on your employees’ devices. You can see which apps are safe or risky, and set security policies to reduce that risk. For each app, z3A provides executive, technical, JSON and other reports.

z3A Privacy Example: iOS Weather Channel app

The lawsuit prompted us to look at the z3A reports of a recent Weather Channel iOS app. We were wondering what the app’s privacy risks were. We have included some screenshots of the actual z3A Technical Report to showcase some of the real world findings.

Summary:

Overall, the app was determined to have many privacy risk elements, as shown in the report’s summary introduction:

“High Risk” Privacy Issues:

Some of the app’s highest privacy risks are shown below. It is interesting that the app can access EXIF metadata from stored photos and videos, which Apple prohibits, and includes pin-point location functionality that is only supposed to be used by actual navigation apps.

“Medium Risk” Privacy Issues:

While not quite as critical as the high privacy risk items just shown, the app had a significant number of medium security risks too. As you can see, there are quite a few issues around data leakage, advertising (including AdMob, not just ads within the app) and the sending of PII such as first name, last name and the device’s UUID (universally unique identifier). Depending on your organization’s risk tolerance, some of these may be critical enough to warrant creating custom policies, perhaps by specific user groups.

 

OWASP “Top 10 Mobile” Categories:

For another view, z3A also reports on how each app does against the OWSAP Top 10 Mobile Categories.  Overall, the app passed only 5 of the 10, earning it a “Fail”. Here are few privacy categories that led to that failure:

  • M2: Insecure Data Storage.
    • The app may be leaking data via the UIText auto-correction functionality.
    • The app has the ability to send email.
    • The app implements the MFMessageComposeViewController. This enables the app to send SMS messages programmatically. Unintentional data leakage, SMS spam and trojan behavior are risk considerations.
  • M3: Insecure Communications.
    • The app is using a non-encrypted HTTP connection.
    • The app sends query parameters with private information such as the first name, last name, email address and UUID.
  • M5: Insufficient Cryptography.
    • The app is configured to allow unsecure and unverified connection to servers with lower TLS versions.

If you would like to learn more about z3A, or other Zimperium solutions, please contact us.

The post What’s in your apps?? Lessons from the Los Angeles / Weather Channel app lawsuit. appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
1987 Followers
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel