David Choffnes is leading the research at Northeastern University

New system alerts users to data-leaking apps

Researchers have developed a cloud-based system that prevents apps from leaking personal data.

The team, from Northeastern University in Boston, said that many apps are putting personal information at risk by transmitting sensitive data such as passwords and email addresses unencrypted, in plain text.

Their new system, called ReCon, implements a number of functions to prevent apps from behaving in this way.

It is able to detect leaks of personally identifiable information, alerts users to those breaches and enables them to control the leaks by specifying what information they want blocked and from whom.

"Our devices really store everything about us on them: who our contacts are, our locations, and enough information to identify us because each device has a unique identifier number built into it," says David Choffnes, university professor and leader of the research team.

"A lot of network traffic that goes back and forth isn't protected by encryption or other means.

"What's really troubling is that we even see significant numbers of apps sending your password, in plaintext readable form, when you log in.”

In a public WiFi setting, this means that anyone running 'some pretty simple software' could intercept and read this data.

A June 2015 Forrester Research study reported that smartphone users spend more than 85 per cent of their time using apps, but little research had been done on how they submit network traffic because mobile devices' operating systems are difficult to crack.

The university team followed 31 mobile device users comprised of 24 iOS devices and 13 Android devices.

They used ReCon for a period of one week to 101 days and monitored their personal leakages through a secure webpage.

The researchers said that despite the small numbers of users taking part in the study, 165 cases of credentials being leaked in plain text were detected.

Of the top 100 apps in each operating system's app store, more than 50 per cent leaked device identifiers, more than 14 per cent leaked actual names or other user identifiers, 14-26 per cent leaked locations and three leaked passwords in plain text.

In addition to those top apps, the study found similar password leaks from 10 other apps used by the participants.

"Our system is designed to use cues in the network traffic to figure out what kind of information is being leaked,” said Choffnes.

“The software then automatically extracts what it suspects is your personal information. We show those findings to users, and they tell us if we are right or wrong. That permits us to continually adapt our system, improving its accuracy."

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them