business

Updated: Apr 04, 2017 12:52 IST

Smartphone apps that we regularly use to organise lunch dates, make convenient online purchases and communicate the most intimate details are mining our data by secretly colluding with each other, a new study warns.

Researchers conducted the first ever large-scale and systematic study of exactly how the trusty apps on Android phones are able to talk to one another and trade information.

“Researchers were aware that apps may talk to one another in some way, shape, or form,” said Gang Wang, Assistant Professor at Virginia Tech University in the US.

“What this study shows undeniably with real-world evidence over and over again is that app behaviour, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone,” said Wang.

The types of threats fall into two major categories, either a malware app that is specifically designed to launch a cyberattack or apps that simply allow for collusion and privilege escalation, researchers said.

In the latter category, it is not possible to quantify the intention of the developer, so collusion, while still a security breach, can in many cases be unintentional, they said.

In order to run the programmes to test pairs of apps, the team developed a tool called DIALDroid to perform their massive inter-app security analysis.

“Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorised apps to gain access to privileged data,” said Daphne Yao, Assistant Professor at Virginia Tech.

The team studied a whopping 110,150 apps over three years including 100,206 of Google Play’s most popular apps and 9,994 malware apps from Virus Share, a private collection of malware app samples.

The set up for cybersecurity leaks works when a seemingly innocuous sender app like that handy and ubiquitous flashlight app works in tandem with a receiver app to divulge a user’s information such as contacts, geolocation, or provide access to the web.

The team found that the biggest security risks were some of the least utilitarian.