The smartphone, with all the personal data it contains, is a prime target for those who are looking for this type of information, explains Fred Raynal of Quarkslab. Faced with the increasing number of intrusions from applications, how can users' personal data be protected?
These are all particularly interesting from the point of view of advertisers because they shed light on consumption habits. The final goal, serve the right publicity at the right time in the right place to encourage the act of buying.
A good way for a developer to monetize the audience of his application is to set up advertising banners in his application. And for this, companies offer ready-to-use toolkits, called SDKs (Software Development Kit). Concretely, SDKs are programming assistance tools for developers to design a mobile application, which are in the form of code fragments.
These ad SDKs make it easy to display ads, track user clicks in an app, and also collect phone data. If the majority of applications are equipped with SDKs that do not pose a problem, it is nevertheless necessary to be vigilant with regard to the data processing carried out by this software.
Advertising SDKsSome of the features are legitimate for a developer because they make it easier to improve their app or its monetization part. However, the issue of aggregate data is often overlooked. More and more applications are using SDKs to retrieve - without clearly asking for the user's consent - the location, the list of applications used or even data that is then used for advertising targeting.
If these data are of little interest when taken one by one, they become very useful when they are correlated.
In some cases, these SDKs can also turn out to be malicious: recently, Snyk an American cybersecurity company revealed the harmfulness of an advertising SDK used by more than 1,200 applications. In this case, the SDK publisher, under the guise of legitimate activity, practiced advertising fraud by favoring advertisements from their network rather than another.
In addition to these fraudulent activities, the company, through the SDK, tracked down the users of the apps by collecting certain browsing data. While this example illustrates an extreme case, it illustrates the collection capacity of these SDKs.
In response to these increasingly common abuses, Apple recently decided to tackle user tracking through in-app ads. The new iOS 14 system limits the tracking of users' movements and actions when they open an app. This update is obviously not to the liking of the advertising agencies that tracked users through the various devices (smartphone, tablet, and computer) and thus collected thousands of personal data.
The attacker's strategySDKs are an attractive target for potential attackers. Indeed, a code error can lead to a flaw, which can be exploited by a malicious person if it is discovered.
An SDK is present in several applications. For an attacker who seeks to install his malware on as many smartphones as possible, looking for a flaw in an SDK rather than in a single application can reach a much larger number of users.
Likewise, an advertising network is a particularly interesting target, because, in the event of hacking, it allows the interception of confidential information and data as well as the possibility of reaching millions of targets at once. In the case of a state attacker, he can thus choose his targets according to their interests or spy on journalists from a distance, for example.
For other attackers, the goal will be to collect as much personal data as possible. Indeed, the mass of data will facilitate the correlation of information and the possibility of subsequently using it for social engineering attacks, for example, or reselling it on the black market.
In short, the SDK or the management makes it easier for a malicious individual to amplify his attack to reach more people.
Necessary collection of personal dataAs the famous saying goes "if it's free, you are the product". And even if many believe that they have "nothing to hide", the personal data collected deserves that everyone pays special attention.
Today, the pedagogy must continue. To limit the collection of personal data on the phone, some good practices should be adopted. Thus, each time an application requests access to personal data, the user must ask whether it will be really useful or if it is a way of retrieving as much personal information as possible respect. For example, does a games application really need to access the contact directory?
Other measures can be effective: sort the installed applications, delete those that are not used, regularly clear the browsing history, and turn off geolocation by default.
The more users take these reflexes, the more this will allow everyone to become aware of the extent of the collection of personal data. But the user only arrives at the end of the chain.
It is up to the entire ecosystem to be particularly vigilant. First, application developers are encouraged to perform thorough audits and verify that the SDKs used do not contain security breaches. Then the developers of the operating system are responsible for implementing the security measures.
Smartphones contain a huge amount of personal and confidential data. Whatever the identity, activity, photos, or files of the user, it is always possible to find a way to make malicious use of them by reselling them or by impersonating the person concerned. It is only through a general awareness that it will be possible to respond to the challenges of the protection of personal data.