As the presidential primary season continues to heat up, there are a growing number of mobile apps, but not all of them are secure. More than 50 percent of the presidential primary-related apps Symantec surveyed were leaking private user information in some way.
Symantec looked at 1,217 apps and found that 654 were exposing data, explained Shaun Aimoto, principal software quality assurance engineer at Symantec. The company only looked at Android apps as part of its research and did not analyze iOS apps.
While there are apps for all current presidential candidates, Symantec found that apps related to the campaign of Republican candidate Donald Trump dominate the landscape, with approximately 75 percent of presidential primary apps. Those related to Democrat Bernie Sanders represented 13 percent of surveyed apps, while 7 percent related to Democrat Hillary Clinton.
A report released earlier this month found the Trump Website to be the most secure of all current presidential candidates.
Whenever users install any app, Android asks them for certain permissions and access to the devices’ functions and data. While permission-based leakage is often a problem with mobile apps, that’s not the primary challenge for the presidential primary apps. Symantec used dynamic analysis within Norton Mobile App Insight to identify leaking, Aimoto said.
“We define a leak as PII [personally identifiable information] being sent off the phone without encryption,” Aimoto told eWEEK. “The data may be going to a legitimate destination, but it could be intercepted by someone sniffing the traffic.”
While Symantec looked at data leakage, the study didn’t identify SSL/TLS (Secure Sockets Layer/Transport Layer Security) usage in mobile apps, Aimoto said. SSL/TLS is used to encrypt data in motion across the Internet. Though Symantec didn’t specifically look at SSL/TLS, Symantec still considers unencrypted PII coming off the phone to be a leak even if the channel is encrypted, Aimoto said, adding that there were examples in the presidential apps of leaks via HTTP, HTTPS and other ports.
Nearly a third (31 percent) of surveyed apps leaked information about users’ devices, including the brand, model and operating system; 14 percent of apps leaked SIM card information, including users’ international mobile subscriber identity (IMSI). Only 2 percent of surveyed apps, however, leaked the mobile user’s phone number.
It’s not clear if or when the presidential campaign apps that Symantec identified as leaking information will fix the flaw.
“As a best practice, if a brand is mentioned in a Symantec blog, we will share the content with them in advance,” Aimoto said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.