Summary Findings from Singapore’s First Privacy Survey Covering Mobile Applications

Conducted by Straits Interactive with support from App Knox

Objectives of Survey

  • Assess Data Protection / Privacy practices for mobile apps
  • Scan mobile apps for privacy risks

(conducted between Aug – Sep 2015)

The survey is benchmarked against a similar survey done by the Global Privacy Enforcement Network (GPEN).

Results of the 2014 GPEN Privacy Sweep Global Trends and Canada (Office of Privacy Commission).

Source: https://www.priv.gc.ca/media/nr-c/2014/bg_140910_e.asp

Methodology

1) Assess Data Privacy Practices

1. Only Android Applications were chosen for consistency

2. Reference site: https://play.google.com/

3. Searched the most popular applications, as well as those representative of several categories

4. In each search, the following were collated:

• App/Company Name
• Developer (Is it internal or outsourced, individual; app development company?)
• Privacy policy (Does it cover mobile apps?)
• Web site
• Review (indication of quality)

5. Analysis of 103 mobile applications plus 10 apps relating to financial advisors/real estate agents

2) Use of Scan technology from AppKnox

1. Analyzed APK binary file from play.google.com

Code Analysis

Code analysis covers basic coding practices, data flow and metrics which include OWASP configurations. The Open Web Application Security Project (OWASP) is an online community dedicated to web application security.

Attacker’s Approach

Going a step further and using an attacker’s approach to analyze mobile Network and Product’s security.

Summary findings for mobile apps privacy practices

GLOBAL APPSOPC APPSSG APPS
Total # of apps examined1211151103
Permissions (Indicator 2)
Apps requesting 1 or more permissions75%70%89%
PERMISSION REQUESTEDGLOBAL APPSOPC APPSSG APPS
Location32%22%70%
Contacts9%10%7%
Calendar2%2%8%
Microphone5%7%4%
Camera10%8%29%
Device ID16%13%52%
Access to other accounts15%23%49%
SMS4%6%12%
Call log7%11%2%
PRIVACY COMMUNICATIONSGLOBAL APPSOPC APPSSG APPS
Apps with concerns regarding pre-installation privacy communications59%42%65%
Apps with excessive permissions based on sweeper’s understanding of app’s functionality31%28%58%
Apps with privacy communications not well tailored to small screen43%31%Not asssessed
OVERALL PRIVACY MARKSGLOBAL APPSOPC APPSSG APPS
0 = No privacy information, other than permissions30%11%18%
1 = Privacy information not adequate; sweeper does not know how information will be collected, used and disclosed24%15%55%
2 = Privacy information somewhat explains the app’s collection, use and disclosure of personal information; however, sweeper still had questions about certain permissions31%46%17%
3 = Privacy information clearly explains how app collects/uses/discloses personal information; sweeper is confident in his/her knowledge of app’s practices15%28%10%
100%100%100%

Summary Findings for Mobile Apps with Privacy / Security Concerns

Top 3 privacy/security concerns

69% – Javascript-interface: This gives privilege to hacker to execute or run any code and perform unexpected results or action on behalf of the user remotely without even touching the device physically.

61% – Misconfiguration in SSL: This can lead to attacks which compromises user details. Simply means any hacker can intercept the internet connection. This can lead to Man in the middle attack.

52% – Poor Encryption: This can be misused to get access to user’s personal data by hackers. Easily decrypted information is like keeping user’s keys in open for any thief to steal their data.

HIGH RISK VULNERABILITIES% OF OVERALL MOBILE APPS
GRAND TOTAL
Broken Trust Mgr for SSL (High Risk) 61%
Broken Host Name Verifier for SSL45%
Host Name Verifier Allow All Host Names31%
Remote Code Execution Through Java Script Interface69%
Insufficient Transport Layer protection28%
Derived Crypto keys52%
Application Log (medium risk)45%

Mobile application developers are advised to get their mobile apps scanned for privacy and security vulnerabilities.

To get the complete report and findings, as well as the individual security report of the mobile application covered, please contact sales@straitsinteractive.com.

Click here to see a list of mobile apps surveyed.

See press release for more information http://www.straitsinteractive.com/PR_SI_Mobile_Apps_Survey_28102015.pdf