You know that Android app you’re about to download? It could be a security risk.
No doubt you’ve heard stories of apps infected with malware, but there’s also the risk that comes from apps exposing your personal information.
Indeed, according to security researchers at ThreatLabZ, “up to 10 percent of mobile apps expose user passwords and login names, 25 percent expose personally identifiable information and 40 percent communicate with third parties.”
That analysis comes from Zscaler Application Profiler, or ZAP, a free Web tool that promises a quick and easy assessment of any Android or iOS app.
It works like this: just type in the name of an app you want to check. If ZAP doesn’t produce any results, you can run a manual scan by pasting in the corresponding App Store or Google Play URL.
What’s happening behind the scenes is that ZAP is capturing and analyzing HTTP(S) traffic from any given app, the idea being to see if your data is being exposed and generating an overall risk score based on the analysis.
Handy, no? I was interested to discover, for example, that Evernote for iOS had a high risk of “device metadata leakage”—data that can identify an individual device. Not sure what I’m supposed to do about that, but I was glad to see no issues with “personally identifiable data leakage” or “exposed content.” Likewise, Evernote doesn’t leave my username or password unencrypted when communicating with online servers.
If you’re concerned about app security in your organization, or even just on your own smartphone, ZAP is worth checking out. If nothing else, it can help you spot a potentially problematic app before you install it.