Image

Image

We discovered that a number of device and personal identifiers were being sent to servers in China and Singapore unencrypted, including the IMEI (International Mobile Station Equipment Identity), IMSI (International Mobile Subscriber Identity), as well as device MAC address along with other identifying information. Additional information is being encrypted and transmitted to these same servers.The LEO Privacy Guard privacy policy only states that they gather device information, which can be rather vague. Privacy Sentry asked the company behind the application for clarification with regards to what they are doing with the information they are collecting, but they did not respond to inquiries. The fact that data is being stored on servers in China and Singapore is problematic for a number of reasons – the data then falls under the jurisdiction of laws of those countries, if law enforcement or a government agency were to make a request for this information, they would be required to hand it over. None of the information with regards to what specific data was being collected or where it is being sent to was disclosed in the privacy policy. This raises more questions and increases the risks to security and privacy, more than the app helps protect it. You can read the full Privacy Sentry report here. The LEO Privacy Guard application is just one example of information being harvested and sent to servers both inside and outside the country. One of the biggest challenges with securing mobile devices is getting visibility into what information is being collected and shared. It is important for consumers and businesses alike to be conscious of what applications are being deployed to their devices. A game that you download and install on your phone for your child to play with could be much more than that, and if that same device is used for banking or business, it could put you and your organization at unnecessary risk. As we also saw with the recent XCodeGhost vulnerability and exploit, the supply chain of app development can also put you at risk, so it is advisable to only install applications from trusted vendors and trusted application stores and solely select those apps you need. Also, be sure you review the permissions of the applications you install (for Android) and actually pay attention to the privacy policies and terms of use for apps.