We’re already well-informed of just how far-reaching the NSA’s data-tapping techniques are, but newly published leaks have taught us more methods to the NSA-madness. According to new documents furnished by Edward Snowden, the NSA and British-counterpart GCHQ have been tapping into commercial data troves collected by popular smartphone apps like Angry Birds and Google Maps as well as their third party advertisers. The information ranges from your gender to where you’re located to where you’re planning on going – and more.
While your embarrassingly low score apps probably won’t make it to the NSA’s database (phew!), other personal information can. It depends on what kind of data the particular app or 3rd party advertiser collects, but details collected by smartphone agencies could grab include the user’s gender, age, geolocation, marital status, phone ID number and more.
The information has been collected through a “mobile surge” initiative steadily since at least 2010 and the documents said that spies have the ability to scrub apps to collect other highly personal details like ones sexual orientation and political alignment.
A case study created by the GCHQ used one of the most popular gaming apps, Angry Birds, as a prime example of a leaky app allowing spy agencies unrestricted access to tons of user data. The game has been downloaded over a billion times, but we can only guess as to how much data the agencies have collected. One of the leaked secret documents out of GCHQ included the code needed to take player profiles from within Angry Birds’ Android version, but with the help of advertisers serving ads and collecting even more data, spy agencies are able to get a much deeper look at a player.
Rovio responded to the allegations in a statement, saying that they have no “previous knowledge of this matter, and have not been aware of such activity in 3rd party advertising networks, nor did we have any involvement with the organizations mentioned.”
The NSA and GCHQ also intercepted map apps such as Google Maps in order to grab geolocation data in bulk. They delved deeper, as well, going so far as to intercept queries within Google Maps to collect data about where the target is and where he or she is planning to go. An internal document from 2008 noted that anyone using Google Maps on their smartphone is basically “working in support of a GCHQ system.”
These new details may not be especially surprising, considering previous revelations that the NSA also uses Xbox Live, Second Life and World of Warcraft in data collection and monitoring players, but the sheer amount of data available through a simple gaming app is shocking. One leaked report indicated that just by updating an app on your Android, over 500 lines of data are created detailing the phone’s history – and spies can get every line of it.
In response to the most recent disclosures, the NSA released this statement:
“Any implication that NSA’s foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true. … We collect only those communications that we are authorized by law to collect for valid foreign intelligence and counterintelligence purposes – regardless of the technical means used by the targets.”
Candy Crush players: beware. You’re probably next.
Read more at the New York Times.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.