maxkabakov - Fotolia
An investigation by ad-blocking vendor AdGuard Software Ltd. found that several Chrome and Firefox browser extensions, as well as Android and iOS data collecting apps published by a company called Big Star Labs, were collecting personal browsing data using various tricks -- and without user permission. What types of data were these extensions and apps collecting, and what techniques did Big Star Labs use to get the data?
The use of centralized repositories or app stores to publish apps and add-ons provides many security benefits. And, many times, app stores or repositories will offer basic security checks and reviews to help people better understand applications.
Some app stores, such as the Google Play Store and Apple's App Store, have relatively strict guidelines, while stores provided by other vendors and third-parties may not be as rigorous.
AdGuard, an ad-blocking vendor, recently conducted a detailed investigation into several Big Star Labs add-ons and apps where users may not have been aware of what kind of data the apps were collecting -- the user's browser history. According to AdGuard, some individuals don't realize how sensitive browser history data is or understand how it can be used to uniquely identify and develop a detailed profile on users.
However, browser history data is literally a representation of all of the URLs the user has visited. This can include information about the web browser or endpoint itself, including geolocation data, device names, networks, IP addresses and other device identifiers that can be used to identify a person. This data can be combined with other information about the endpoint in order to identify an individual. Some personal data is incorporated by default into browsing history, such as a username included in a URL, making it easy to identify the person.
App developers often represent their data collecting apps as being helpful to stop ads, speed up internet access and stop pop-ups; however, most modern web browsers offer similar capabilities without exposing personal data. The data collecting apps from Big Star Labs appear to be primarily interested in collecting data after recording every visited URL.
After the initial AdGuard report was published, Google Play and the Chrome Web Store removed the Big Star Labs data collecting apps. However, just a month later, most of the offending apps had been reinstated. In order to help app stores improve their privacy protections, these apps should be reported again.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Application and platform security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading