Tuesday, December 12, 2017

If an app is free, is it trustworthy?


In the case of some popular software, not necessarily.

Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server.

The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world.

But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data.

. . .

Each record contains a basic collected data, including the user's full name, email addresses, and how many days the app was installed. Each record also included a user's precise location, including their city and country.

. . .

More complete records also include the device's IMSI and IMEI number, the device's make and model, its screen resolution, and the device's specific Android version.

A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi. Many records contain specific details of a user's public Google profile, including email addresses, dates of birth, genders, and profile photos.

We also found several tables of contact data uploaded from a user's phone. One table listed 10.7 million email addresses, while another contained 374.6 million phone numbers. It's not clear for what reason the app uploaded email addresses and phone numbers of contacts on users' phones.

Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps.

There's more at the link.  It makes for disturbing reading.

This is very worrying for two reasons.  The first and most obvious is that the app developer did not password-protect user information, leaving it vulnerable to hacking.  The second, more insidious concern is that most users probably did not have any idea of how much information about them and their telephones, contacts, etc. the app was collecting.  Privacy?  What privacy?

This is by no means the only instance where a 'free' app proved to be risky at best.  One of the best-known cleanup programs, CCleaner (the free version of which I've used myself for a very long time), was recently infected with malware, which downloaded itself to users along with a program update.  That affected my computer, too.  It took a lot of hard work by a lot of people, and disruption to many users' computers, to deal with the problem.

Moral of the story:  free software isn't necessarily free of malware, viruses, and bugs.  Even paid software isn't immune.  Use at your own risk.

Peter

5 comments:

Jonathan H said...

It also tells me that many people don't look at the permissions they give apps - you should only gives apps the access they need; for example, why does a keyboard app need your location?

I keep my GPS turned off when I'm not using it, and I deny apps access to it unless I need them to have that access. One app I use complains I haven't given it access to my contacts; it doesn't need access, so O don't give it.

ALWAYS use the lowest possible level of access to get the job done, whether on a computer or on a phone.

A note on free apps versus paid: just because it is paid for doesn't mean it is written better or won't leak your data. All apps are a risk in one way or another and require trust on the part of the user; there is no foolproof way for most people to know whether an app can be trusted.

Fargazer said...

I have to second Jonathan H's remarks. I actually use the paid version of the keyboard, and looked at the permissions once I read this article: it could store information (to record settings and vocabulary), but had no permissions for contacts, SMS, or anything else. Paranoia and parsimonious permissions are your friend.

If you have a rooted device (I have one of my three this way), there are programs to allow you to quarantine apps to ONLY run when actually used, and otherwise keep them disabled. Very handy to keep apps from running in the background doing who knows what...

Steve Sky said...
This comment has been removed by the author.
Steve Sky said...

The other thing to emphasize is to make sure the program cannot do any automatic updates. This especially includes commercial companies like Microsoft or Adobe. Over the years, I've read many stories of people who trusted their program, enabled automatic updates, and then discovered they had problems, or worse, their system was bricked. I've learned to read the reviews of the update on security sites like Krebs to find out whether I should be updating or not. I mention Microsoft specifically because a couple of years ago, Microsoft's forced Win 10 update was bricking PCs & laptops, and depending on where the failure occurred, you couldn't back the update out. Hope you had enough money to replace your system and good backups for your data.

For a long time, Adobe installed adware or virus scanners, with every update they provided. You could get around this by going directly to the download site, but they finally closed that out. Instead, make sure you unclick on the tiny check box, and read the agreement line with the same skepticism you would show to a politician's statement, or otherwise, you'll spend some time cleaning up after Adobe's additional "options" installation.

Other examples exist, like the Ukraine's accounting & finance automatic update, which encrypted every drive it ran on. Speculation is that Russia did it as a cyberwar act against the Ukraine, but without automatic update, the users wouldn't have lost data.

WOZ said...

My theory is if it's free you are the product.