How Angry Is That Bird?

Repost from: Veracode blog

Angry Birds

The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?

We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.

Our first analysis was to determine whether Angry Birds contained known malicious code, or malicious behaviors. Fortunately, it’s clean in both cases.

Next we analyzed Angry Birds’ behavioral characteristics against several pre-built application security policies. Policies can be created to look for specific code capabilities, Android permissions, location tracking, etc. Based on the items mentioned in the news stories, we focused on the personal information privacy policy (which btw is also a good idea for healthcare companies – see Caitlin’s postFood for Thought: Mobile Application Security & HIPAA).

Angry Birds received seven violations in the code capabilities section of the privacy policy.

CATEGORY CODE ITEM
Sensitive Information Access Unique Device Identification Information
Information like phone number, IMEI, etc.
Sensitive Information Retrieve SIM Card Information
Contains code that may reveal the serial number of your SIM card as well as information about the provider network with which it is attached.
Sensitive Information Retrieve Information About Device Type
Contains code capable of finding the device brand, model and/or version of the operating system.
Sensitive Information Monitor Device Location
Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Sensitive Information Retrieve Carrier Information
Contains code that may identify and retrieve information about your mobile service provider.
System Access Monitor Device Statistics
Code is present that allows for the tracking of device information such as battery status, signal strengths, network traffic and cpu performance.
System Access Listen for Key Presses
Contains code to listen for key and touch events and take action via callbacks. While this is a normal API enabled ability it may be combined with other nefarious methods.

In regards to geo-location, Angry Birds received one code capability violation and one permission violation.

CATEGORY CODE ITEM
Sensitive Information Monitor Device Location
Code is present that may track the location of the device based on cellular network and or/gps. This is also aware of when the location changes.
Permission android.permission.ACCESS_COARSE_LOCATION

Angry Birds is currently the 18th most popular game for Android in the Google Play Store. All 100 top free games in the Google Play Store have code capabilities violations for privacy/personal information policy, many with a similar granularity of violations. Compared to other top 100 free games, Angry Birds is categorized as one of the least risky for malware and privacy.

The larger problem ties back to comments made by Chris Eng, Vice President of Veracode Research. Chris said that it’s more complicated than complaining to an app developer to stop requesting certain pieces of information from its users’ smartphones. “If I don’t want an app to know my location, the developer could say, ‘I’m planning these new features that rely on location information,‘” he told ABC News. “That’s where you run into these sorts of issues with apps that leak these sorts of info.” Many apps “are communicating to servers without any encryption,” said Eng. “Apps that don’t encrypt everything in transit are open to eavesdropping.

Source of quote: http://abcnews.go.com/