If you're planning to do some of your holiday shopping from your cell phone this year, you might want to think twice.
It turns out that a lot of smartphone apps aren't very good at protecting your personal information: a full 82% of brick and mortar stores' retail apps and 92% of online-only retail apps are leaking your personal information, according to a new survey from NowSecure, a mobile app security management company. The survey tested apps from many of the world's top brands and focused on Android apps only (it did not include iPhone apps).
"Leaking" data refers to the unintentional exposure of sensitive information. This leaves personal information like your credit card number or Social Security number vulnerable to bad actors like hackers, who steal people’s information to sell for profit on the black market. Nearly 60 million Americans have been victims of fraud or identity theft resulting from a breach of their personal information, according to LifeLock, an identity theft protection company.
"There is a real legitimate issue around mobile apps in terms of both the security and the data privacy,” says Alan Snyder, CEO of NowSecure.
If hackers gain access to something as simple as your username or password, or even your transaction history, they can use that kind of information to do other kinds of harm, like access your bank account or even target you in other scams. And while you've probably never given Bloomingdale's your Social Security number, you may have given those sensitive digits to an app for tax preparation services, medical companies, or mortgage and credit card applications. A Social Security number in the wrong hands can lead to identity theft.
"Would you want your critical information, your name, your passwords and your Social Security number written across the front of your house so that anybody driving by can see it?" asks Snyder. Because if an app leaks your data, it's "out there and visible for anyone that wants to go and grab that data," he says.
Why is data leaking at all, though? Simply put: companies are not investing enough time and resources into app security. Even though mobile app security isn't all that expensive to implement, businesses have traditionally invested more in their websites and network security than mobile security, Snyder says. The use of mobile apps grew so quickly that many companies are still getting up to speed when it comes to implementing adequate security measures for their apps.
"Mobile innovation ran ahead, security now needs to catch up," Snyder sys.
In addition to your credit card number, other kinds of consumer data often at risk of exposure via mobile apps are basic facts like your name, usernames, passwords, email, geolocation and account numbers, generally referred to as personally identifiable information.
Here's How to Protect Yourself
So what can you do to avoid putting your own sensitive personal information at risk for data leakage?
The first step is simply building up the awareness that you are vulnerable, Snyder says. When you shop online using a computer, you will often see a padlock badge in your browser's address bar letting you know a website is secure, but there is no universal symbol you can look for on mobile apps to check how well-protected they are. Trust your gut. If a retailer like a shoe store is asking for your location or access to your smartphone's microphone, ask yourself: why does a shoe store app really need that kind of information from me to work?
"It doesn't," says Snyder. Decline those prompts when you can.
Generally speaking, it's also safer to use a credit card rather than a debit card when you're doing any kind of shopping over the Internet. A debit card gives a hacker a direct connection to your bank account, and it's usually up to you to convince your bank that fraud occurred and to return your funds. Most credit cards refund customers for suspected fraud more readily, though exact policies vary from company to company.
Snyder knows it's not realistic for the average person to avoid using apps altogether, but he says he personally tries to never store his credit card information in apps, instead taking the time to type out the numbers in every instance he uses the app. Another simple recommendation? Most of us have a dozen apps we haven't touched in months sitting on our phones: delete all of the apps you only used once and probably won't need again, like parking apps.