Leaked docs: NSA uses 'Candy Crush,' 'Angry Birds' to spy 'Candy Crush Saga,' 'Angry Birds,' among targets, new release shows

Image 1 of / 3 Caption Close Leaked docs: NSA uses 'Candy Crush,' 'Angry Birds' to spy 1 / 3 Back to Gallery

"Candy Crush Saga" players take note: The nation's top spooks want a taste.

The National Security Agency has targeted popular smartphone-based social games like "Candy Crush" and "Angry Birds" to pilfer personal information, including phone numbers, e-mails and codes that identify the user's device, according to documents leaked by former NSA contractor Edward Snowden.

Among the so-called leaky apps with the greatest privacy perils are Google's Google Plus, Pinterest's online bulletin board and "Candy Crush," the most popular game on Facebook, according to an analysis by Zscaler Inc.

While Facebook and Google typically encrypt personal data, the feds have focused on advertising services that use the information to pitch goods and services to consumers.

The reach of apps, and of the networks advertisers use to pass data around, make them natural eavesdropping targets and are aiding a shift in the focus of surveillance efforts away from personal computers, said Kevin Mahaffey, co-founder and chief technology officer of Lookout Inc. in San Francisco.

Data trove

Lookout studied 30,000 apps this month and found that 38 percent of those for Android systems could determine locations, of which half could access the unique code assigned to a person's device, and that 15 percent could grab phone numbers.

"They have a lot of valuable information, and they're everywhere," he said. "Everyone from the NSA to Microsoft to Google see mobile as the future."

The mobile-app industry, less than 10 years old, will be worth $143 billion globally by 2016, according to industry estimates. The latest disclosures from Snowden underscore how vast a data treasure trove mobile apps present to both advertisers and now spies.

Zscaler's analysis found that 96 percent of the top 25 social-networking apps request e-mail access, 92 percent ask for access to users' address books and 84 percent inquire about their physical locations.

"Privacy is dead in the digital world that we live in," said Michael Sutton, vice president of security research at San Jose's Zscaler. "I tell people, unless you are comfortable putting that statement on a billboard in Times Square and having everyone see it, I would not share that information digitally."

Google, based in Mountain View, declined to comment and referred to a statement from the Application Developers Alliance, a trade group to which it belongs.

"Uninhibited collection of consumers' personal data by governments hacking into apps is unacceptable," said Jon Potter, the group's president, in the statement. "This surveillance damages our entire industry and undermines the hard work of app developer entrepreneurs everywhere."

The NSA has defended its data gathering as essential to national security.

Jodi Seth, a spokeswoman for Menlo Park's Facebook, said the company encrypts its mobile-app data and pointed to two earlier statements defending its security technologies. King.com, the company behind "Candy Crush Saga," and San Francisco's Pinterest didn't respond to e-mail messages sent during U.S. business hours.

Surprising grab

One game that makes surprising grabs - asking for a user's location or a device's unique code - is "Angry Birds," according to research by Jason Hong, an associate professor of computer science at Carnegie Mellon University, which was published in November. Another is Brightest Flashlight, which turns on all of a device's lights at once, Hong found.

"Angry Birds," whose games have been downloaded more than 1 billion times, was identified in the Snowden documents as a target of NSA spying.

Its creator, Rovio Entertainment Oy, said in a statement that it doesn't share data with government agencies and that any leaking of customer data is being facilitated by vulnerable advertising networks.

"In order to protect our end users, we will, like all other companies using third-party advertising networks, have to re-evaluate working with these networks if they are being used for spying purposes," Mikael Hed, Rovio's chief executive officer, said in the statement.

GoldenShores Technologies, the creator of Brightest Flashlight, didn't respond to an e-mail message.

There are dozens of networks that collect and share details from apps and connect marketers to users with tailored ads. AdMob, owned by Google, and Millennial Media are the two biggest networks for Android, the largest smartphone operating system in the world.

Christina Feeney, a spokeswoman for Millennial Media, said the company doesn't share information with government surveillance agencies. AdMob declined to comment.

The NSA sensors that capture traffic traveling across key Internet junctures are probably what allow the agency to collect mobile-ad data and look for patterns, Carnegie Mellon's Hong said. Some ad networks pass around entire contact lists in unencrypted form, which makes them vulnerable to interception at any point along their path, Hong said.