Unencrypted, sensitive and confidential user data originating from millions of mobile devices is carried on the Tor network every day. Now researchers say they have devised away to scoop up that data and create personal profiles for specific mobile users, that include GPS coordinates, web addresses, phone numbers and keystrokes.

Adam Podgorski and Milind Bhargava, Deloitte Canada researchers working independently, said they were able to cull the data and piece together the profiles by harvesting data from three Tor network Exit Nodes (Tor Exit Nodes are the gateways where encrypted Tor traffic hits the internet). Tor, the anonymizing software and network, carries the unencrypted mobile device traffic without user consent or knowledge, the researchers said.

Podgorski and Bhargava estimate the source of the traffic to be 95 percent Android and 5 percent iOS, originating from applications installed by the device’s OEM, wireless telecom operators, applications downloaded onto the device by users or via advertisers.

“We believe that the source of the unencrypted traffic is Tor code being installed on these mobile phones, and users are not aware of its existence,” Bhargava said. While the developers of The Tor Project offer an Android app called Orbot, researchers said the Tor functionality is being baked by third parties into the offending apps.

One theory behind why Tor is being used by mobile developers is because they wrongly think all Tor traffic is automatically either encrypted using or anonymous pathways.

“There appears to be a fundamental misunderstanding about what Tor is, with some mobile developers assuming using Tor protects HTTP (unencrypted) traffic from being seen,” Podgorski said.

Researchers determined that 3 percent of Tor traffic is from mobile devices. It found that 30 percent of mobile Tor traffic is not protected by HTTPS encryption.

According to Firefox telemetry data collected by Let’s Encrypt, 80 percent of all internet traffic is HTTPS. Google telemetry reveals 94 percent of traffic it monitors is encrypted. “The vast majority of unencrypted traffic happens on mobile,” according to a spokesperson for Let’s Encrypt. “Often it’s because older devices can’t support modern encryption.”

Researchers are withholding the names of the apps, OEMs, wireless carriers and advertisers leaking the data. But, they say the insecure sources run the gambit from popular mainstream mobile applications to lesser known advertisers. Geographically, the offending apps are popular in both North America and Asia, researchers said.

“About four months ago we reached out to everyone impacted by these insecure apps,” Bhargava said. “We still haven’t heard back from any of them.”

Researchers said they were able harvest personal identifiable data (PII) from Tor Exit Nodes and create very specific digital profiles. The type of data they were able to collect included ads that leaked GPS coordinates of a user; applications that revealed keystroke information and browsing habits; OEM that spilled handset usage data; and telecoms that identified the country codes of users.

Each piece of data, researchers said, were tied to an international mobile equipment identity (or IMEI number). Data also included international mobile subscriber identity (or IMSI number), which uniquely identifies a user of a cellular network.

“Like a puzzle, all we had to do was associate all the same IMEI and IMSI numbers together to create a single user profile,” Podgorski said. Using the data, researchers were able to create profiles of users down to location, phone numbers and keystrokes.

When asked how users can protect themselves, Podgorski said, “at this time there is nothing a user can do to prevent this type of exposure.”

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.