Capturing the phone’s IMSI number and MAC address, the leaked data could have made users trackable, potentially over their lifetimes, says Palo Alto Networks.
Mobile apps can pose certain risks even if the developers have no malicious intent in mind. Bugs or errors in the development phase can lead to certain problems, such as data leaks. Discovered by cybersecurity firm Palo Alto Networks, two apps from Chinese tech company Baidu were found leaking certain data from the devices. A blog post published Tuesday describes the type of data being leaked and why such leaks can be hazardous.
SEE: Top Android security tips (free PDF) (TechRepublic)
With the aid of machine learning (ML)-based spyware detection, researchers at Palo Alto Network’s Unit 42 security arm found multiple Android apps on Google Play that were leaking data. In the lineup were Baidu Search Box and Baidu Maps, which together had been downloaded 6 million times in the US. The leaked data included the phone’s MAC address, certain carrier information, and the IMSI number.
The MAC address is used as an identifier for the networking hardware in a device and never changes. The IMSI (International Mobile Subscriber Identity) number is used to identify a subscriber with a cellular network and is usually associated with the device’s SIM card. Both the MAC address and IMSI number can be used to track the location of a mobile device and its user, hence the concern over the data leakage.
Though the flaw may not have been intentional, the collection of unique identifiers is discouraged, according to Android’s best practice guide. This is because cybercriminals can use IMSI catcher tools to grab this type of leaked data to profile device users, extract further sensitive information, and even intercept phone calls and text messages.
Unit 42 informed both Baidu and Google of its findings. Google removed both apps from Google Play on Oct. 28. At this point, a compliant version of Baidu Search Box is available at Google’s app store, while Baidu Maps remains unavailable.
“The referenced information requested by Baidu App (or referred to as “Baidu Search Box” in the report) was used to enable push functionality, as disclosed in the privacy agreement,” a Baidu spokesperson told TechRepublic.
“Baidu takes the privacy and security of its users very seriously and data is only used under the authorization of users,” the spokesperson added. “The reported issues had been addressed in the newest version of apps before Unit 42 reached out for its research. Baidu App and Baidu Maps were not removed from the Google Play store for the findings in this research. Baidu App has returned to the Play Store as of November 19. Similar to Baidu App, we are working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December.”
Beyond giving up the MAC address and IMSI numbers, some Android apps have been discovered leaking other types of data, including the phone model, screen resolution, carrier, network type (Wi-Fi, 3G, 4G, etc.) Android ID, and the IMEI (International Mobile Equipment Identity) number. Some of this data is relatively benign. But a leak of the IMEI number can raise a red flag.
Unique to each device, the IMEI number is another means of identifying and tracking a phone, especially useful if it’s lost or stolen. A hacker who obtains this number could report the device as stolen and persuade the provider to disable it and block its network access.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy,” Palo Alto Networks said in its post. “Detection of such behavior is vital in order to protect the privacy rights of mobile users.”
The dilemma here is that users are dependent on the honesty and reliability of the developer to keep key information private. Legitimate Android apps typically ask a user to allow or deny permissions for certain features. However, disallowing permissions can cause an app to fail to work properly. Because of the confusion and complexity over this process, users may simply grant all permissions to facilitate the use of the app.
But at a minimum, Android users should be aware of when an app can access phone data and be able to limit that access, Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, told TechRepublic. In cases like this one, there wouldn’t be a way Android users could have prevented the leak short of not downloaded and installing the app. But users should be aware and consider why certain apps are free, according to Miller-Osborn, pointing out that usually Android app developers are monetizing something.
Editor’s note: This article has been updated with additional commentary.