Sensitive Data on Mobile Apps

Goals

To understand the disposition of people about giving their sensitive data to mobile apps. This information would be used to redesign an onboarding flow for an app that lets people securely manage their private and sensitive data. Additionally, to determine which iOS apps require users to input their Social Security number, the top apps that ask users for their SSID, the top security credentials for sensitive information such as Social Security Number, and a list of sensitive documents people have.

Early Findings

Disposition of people about giving their sensitive data to mobile apps

  • Mobile devices are full of personal sensitive information such as photos, bio metric information, financial information, contact details and login credentials.
  • Apps can interact with mobile devices to retrieve this information, they can also activate phone functions such as the camera to retrieve this personal information.
  • Some of the most popular smartphone apps upload highly personal information about their users to Facebook without the users' explicit knowledge or consent.
  • The web-enabled IRS2Go Smartphone App enables users to check the status of their federal tax refund by entering their Social Security number, which is masked and encrypted for security purposes.

iOS apps that require users to input their Social Security number

  • With the launch of iOS 13, apps that request access to users's contacts are no longer able to read the data in the notes of address book entries.
  • Apple Pay requires users to verify their identity during set up by inputting personal information such as social security number, date of birth, answers to questions, or a copy of government issued ID.
  • Apple Card or Apple Cash also asks for the following personal details to verify user identity at first; full name, social security number, date of birth, home address, answers to questions regarding personal history and, an image of driver’s license or state ID card.

The top apps that ask users for their SSID

  • Thousands of android apps can track phones even without permissions. There are a number of side channel vulnerabilities, some of which can send the unique MAC addresses of one's networking chip and router, the wireless access point, its SSID, and more.
  • Tens of iOS apps were discovered to be collecting and selling location data such as GPS coordinates, Bluetooth LE beacon data, and WiFi network SSID and BSSID identifiers.

The top security credentials for sensitive information

  • A username-password combination is the first set of credentials used to protect sensitive information.
  • 2nd factor authentication is the second set of credentials used for authenticating sensitive information.
  • Another security tip to prevent loss of sensitive data is to use a virtual private network when using public Wi-Fi.

A list of sensitive documents people have

  • Personal data is information that reveals something about and could be used to identify an individual. This includes direct, indirect and technical information.
  • Examples of sensitive information includes information used in authentication; for example, credentials, PINs, session identifiers, tokens, and cookies.
  • Additionally, sensitive information includes information that is protected by laws, regulations or specific organizational policy; for example, credit cards, and customers data
  • Examples of sensitive personal identifying information include social security numbers, bank account numbers, passport information, healthcare related information, medical insurance information, student information, credit and debit card numbers, drivers license and state ID information .

Proposed next steps:

You need to be the project owner to select a next step.
Our initial research revealed readily available information about the disposition or mentality of people towards giving sensitive data to mobile apps. We propose deeper research into the disposition of people about giving sensitive information to their apps. This request will also provide information about how and when mobile apps request access to sensitive information from their users.
Our initial research showed that many iOS and Android apps request for sensitive information from their users such as social security number, SSID, home address, and government-issued ID. We propose further research in order to provide 4 to 5 of the top iOS and top android apps that request sensitive information from their users in two separate requests, one for each platform. Top apps on each platform will be defined as the most popular or most-used apps.
Our initial research revealed some of the credentials used for the protection of sensitive information. We propose further research to determine 4 to 5 of the top credentials used for the protection of sensitive information. Top credentials will be defined as those that are most effective or secure.