Capturing the phone’s IMSI number and MAC address, the leaked data could have made users trackable, potentially over their lifetimes, says Palo Alto Networks.
Mobile apps can pose certain risks even if the developers have no malicious intent in mind. Bugs or errors in the development phase can lead to certain problems, such as data leaks. Discovered by cybersecurity firm Palo Alto Networks, two apps from Chinese tech company Baidu were found leaking certain data from the devices. A blog post published Tuesday describes the type of data being leaked and why such leaks can be hazardous.
SEE: Top Android security tips (free PDF) (TechRepublic)
With the aid of machine learning (ML)-based spyware detection, researchers at Palo Alto Network’s Unit 42 security arm found multiple Android apps on Google Play that were leaking data. In the lineup were Baidu Search Box and Baidu Maps, which together had been downloaded 6 million times in the US. The leaked data included the phone’s MAC address, certain carrier information, and the IMSI number.
The MAC address is used as an identifier for the networking hardware in a device and never changes. The IMSI (International Mobile Subscriber Identity) number is used to identify a subscriber with a cellular network and is usually associated with the device’s SIM card. Both the MAC address and IMSI number can be used to track the location of a mobile device and its user, hence the concern over the data leakage.
Though the flaw may not have been intentional, the collection of unique identifiers is discouraged, according to Android’s best practice guide. This is because cybercriminals can use IMSI catcher tools to grab this type of leaked data to profile device users, extract further sensitive information, and even intercept phone calls and text messages.
Unit 42 informed both Baidu and Google of its findings. In response, Google removed both apps from Google Play on Oct. 28. At this point, a compliant version of Baidu Search Box is available at Google’s app store, while Baidu Maps remains offline and unavailable.
Beyond giving up the MAC address and IMSI numbers, some Android apps have been discovered leaking other types of data, including the phone model, screen resolution, carrier, network type (Wi-Fi, 3G, 4G, etc.) Android ID, and the IMEI (International Mobile Equipment Identity) number. Some of this data is relatively benign. But a leak of the IMEI number can raise a red flag.
Unique to each device, the IMEI number is another means of identifying and tracking a phone, especially useful if it’s lost or stolen. A hacker who obtains this number could report the device as stolen and persuade the provider to disable it and block its network access.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy,” Palo Alto Networks said in its post. “Detection of such behavior is vital in order to protect the privacy rights of mobile users.”
The dilemma here is that users are dependent on the honesty and reliability of the developer to keep key information private. Legitimate Android apps typically ask a user to allow or deny permissions for certain features. However, disallowing permissions can cause an app to fail to work properly. Because of the confusion and complexity over this process, users may simply grant all permissions to facilitate the use of the app.