Privacy Risks
All subscribers are vulnerable to the issue of sensitive personal information being sent without a subscriber’s consent, and in many cases, knowledge.
Whilst the security model of some handset OS’s is to inform the user upon first use, so many applications are demanding permission access & rights to use personal information, that the majority of subscribers are becoming blind to these warnings. The standard advice to users to only install applications from trusted developers is also becoming increasingly less relevant, as the new community of application developers explodes in size, and the attractiveness of new “must have” apps outweigh user trust in developer credentials or reputation.
It is not just mobile applications that are the risk. Mobile operators may often add user identifiers into traffic that is passed to external third-party sites in order to secure advertising revenues, but at the risk of damaging subscriber trust in the network.
Information that AdaptiveMobile detects being distributed from devices includes the following:
Device Identity
Device Identity such as UDID and IMEI is being used to provide a reference key of subscriber usage across sessions to app developers. However if intercepted, or put in the hands of malicious 3rd parties, this information can also be used to compromise the device. This includes creating applications that do not need to be signed by Apple in order to be installed on a device, or can be used with other apps to access services such as Facebook without user account login details.
Subscriber Location Information
We are seeing an increasing range of applications that are distributing a subscriber’s location, the majority without the subscriber’s awareness. This may be through applications gaining access to GPS positioning, or through websites that access an operator’s network to perform HLR look-up services, on the pretext of “cleaning” existing SMS mailing lists, but then providing the IMSI and MSC location information of a subscriber to a third-party.
