As 2016’s presidential primaries have progressed, the number of presidential primary apps installed on mobile devices has grown considerably, becoming more prevalent than ever. And that’s a bit of a problem considering that most of them leak personal data about their users.
“[They’re] more popular than ever, thanks mostly to Donald Trump, according to our data,” said Symantec researchers, in a blog post. “Trump has been the focus of much interest, dominating all candidates with 75% of presidential primary apps categorized under his name.”
The unfortunate reality however is that election season is a key opportunity for data thieves to wreak havoc. And, presidential primary apps can gather plenty of information, and meaning that they’re ripe vectors for exposing sensitive data. Downloading election apps may be a quick way to surrender sensitive data to unwanted eavesdroppers, especially if users connect to them using unsecured Wi-Fi or automatically connect to public Wi-Fi hotspots.
User phone numbers and location comprise just some of the data being exposed. Other types of private data include account details, such as email addresses and social network user names; lists of installed apps on a device; brand, model and operating system of the device; the international mobile subscriber identity (IMSI) contained on the SIM card; and the settings of a device, such as language or time zone.
Symantec has found that out of more than 1,200 presidential-primary-related Android apps that it looked at, more than 50% exposed sensitive data. Of the most popular primary election apps observed—those with more than 1 million downloads—nearly 25% were found to be exposing sensitive data.
“Most primary apps are unofficial and not affiliated with a campaign, but even official apps have some data exposure, as we found by looking at two primary candidate apps using the Norton Mobile Security with Norton Mobile Insight app,” Symantec explained.
On the official apps front, using Norton Mobile Insight, Symantec found the official apps for John Kasich and Ted Cruz to be problematic. In the case of the official John Kasich 2016 mobile app, every app installed on a device and the user location may be exposed. In the case of the official Ted Cruz "Cruz Crew" app, mobile device details and unique IMSI may be exposed.
All of it is data that could be intercepted by attackers and shared with third parties.
Users should install apps from only trusted sources and pay close attention to permissions that apps may be requesting; and, they should turn off location settings when not using the GPS function, to prevent apps from knowing a user’s exact coordinates.
“If an app is asking for more information than you're comfortable sharing, it might be a sign to run the other way,” Symantec said. “Think of what the purpose of the app is, and only provide information that is necessary for the app to serve its function.”
Photo © ChristinaMuraca/Shutterstock.com