August 15, 2012

Protecting Your Personal Info from 'Leaky Apps'


Personal information management (PIM) is certainly top of mind these days as concerns grow about who has access to our life critical information, when, where how and why. The subject is a passion of mine as might be guessed from very recent postings on Steve Wozniak’s diatribe about the harmful effects of losing control of things that end up on the cloud, NetAuthority’s introduction of device-centric authentication with transaction verification, and the ClickFox survey results regarding whom we do trust.   It also is a passion for the industry as identity theft increases, putting at risk current comfort levels of consumer trust that are the cornerstone of eCommerce. 

While much attention is being paid to what online providers are offering in terms of their “safeguards” and privacy policies, and new capabilities that create trusted vaults where you can safely store the virtual you are sprouting like weeds, an interesting part of the trust equation has been under the radar. What I am referring to is what I as a user would like to know about what is going on with all of those apps on my smartphone that are constantly being pinged draining battery life as well as personal info. Apps like Juice Defender can help me on the battery side, but what about all that data?

 NetAuthority provides a nice way for networks to allow us to transact in a secure manner from their perspective, but what the view from the user perspective has been limited or non-existent.  The good news is there is now an answer for that question. Enter Mobilescope.

What you should and need to know

What is Mobilescope? 

The simple answer is that it is a new service now in beta that lets smartphone users examine all the data that apps transfer, and alerts them when sensitive information, such as his name or e-mail address, is transferred.

"It's a platform-agnostic interception tool that you can use on your Android, iOS, Blackberry, or Windows device," says Ashkan Soltani, an independent privacy researcher, who created Mobilescope with fellow researchers David Campbell and Aldo Cortesi.

How it works

The company’s website provides details including a useful FAQs section. A summary of how it works goes as follows. Once signed up for the service, Mobilescope is accessed via a website, not an app. There users can see logs of the data transferred by the apps on their device. The company also notes that users can then specify what are called "canaries"—sensitive info such as a phone number, e-mail or name—that trigger an alert if they are sent out by an app.

Is alerting important? 

If you want peace of mind you betcha! A sad truth about the mobile apps world is that several companies have been caught using their apps to extract sensitive personal information without user permission. Inquiring minds may want to know but as a user we need to know who is inquiring and what information they would like to and seemly can have without our knowledge or consent. As Soltani says the service is intended to level the playing field between mobile apps and the people that use them by arming users with more information about what those apps do.

Apple and Google like to boast about the number of apps in their stores, however, buyer/downloader beware. Neither of the app delivery capabilities do much more than let you download. It is up to your antivirus capabilities to decide if they are safe to install, but after that you are on your own as to what info those apps might be sharing once they are up and running.

But I digress. As the company explains, unlike and app, when you sign up for the service a configuration file is sent to the device which directs all Internet traffic to be routed through a Mobilescope server. The server takes a look at inbound and outbound applications data transfers to compile its analyses for user viewing and from which alerts can be generated.

The challenge for Mobilescope is going to be in managing the customer experience. The company says it designed its solution to cause minimal delay and believes that connecting users to near-by servers will further mitigate this challenge. Whether one person’s perception of delay translates into something that is acceptable when the service is massively deployed remains to be seen. 

A good start

Mobilescope’s founders are careful to point out that while they can examine data sent over the most common secure connections by intercepting the certificates involved, the ecosystem for high levels of security do not yet exist. For instance, the service cannot decrypt other data, but Soltani says few apps currently use encryption.

For those concerned about Moiblescape’s collection of data, the company likes to point out that data collected by Mobilescope is discarded after each session of use, and is only stored on a person's own device.

There is a saying in sports that a “good defense is the best offense.” Civil libertarians have been crying out not just for better laws that go beyond the current status quo of opaque privacy policies meant only to avoid the penalties for writing false ones to real negotiated permissions. With little or no defense from the user’s perspective currently available regarding what is politely being called “app leakage” this evolving line of defense from Moiblescope is a welcome addition to the challenge of ensuring online activities can be trusted. We certainly plan to keep an on it, and you can be sure there are lots of others, from a variety of perspectives, doing so as well.  




Edited by Brooke Neuman



Related Tags

Cloud    Google    Security
Apple    Smartphone    Apps

blog comments powered by Disqus

More in TechZone360