Tag Archives: data collection

How to Detect Apps Leaking Your Data

How-to-detect-apps-leaking-your-data-0dad401d4d

One reason that smartphones and smartphone apps are so useful is that they can integrate intimately with our personal lives. But that also puts our personal data at risk.

A new service called Mobilescope hopes to change that by letting a smartphone user examine all the data that apps transfer, and alerting him when sensitive information, such as his name or email address, is transferred.

“It’s a platform-agnostic interception tool that you can use on your Android, iOS, Blackberry, or Windows device,” says Ashkan Soltani, an independent privacy researcher who created Mobilescope with fellow researchers David Campbell and Aldo Cortesi.

Their first proof-of-concept won a prize for the best app created during a privacy-focused programming contest, or codeathon, organized by the Wall Street Journal in April this year; the trio has now polished it enough to open a beta trial period. Access is steadily being rolled out to the “couple of thousand” people that have already signed up, says Soltani.

Once a person has signed up for the service, Mobilescope is accessed through a website, not as an app installed onto a device. A user can use the site to see logs of the data transferred by the apps on their device. They can also specify “canaries,” pieces of sensitive information such as a phone number, email or name that trigger an alert if they are sent out by an app.

Mobilescope can catch apps doing things such as copying a person’s address book to a remote server, as Path and several other mobile apps were found to do earlier this year. Soltani says the service is intended to level the playing field between mobile apps and the people that use them by arming users with more information about what those apps do.

As became clear when several popular apps were caught quietly copying contact data from users earlier this year, neither Apple’s nor Google’s mobile operating systems currently offer people much insight into or control of what apps are sharing.

(MIT Technology Review)

“Our focus is making really simple the process of interception,” says Soltani. “If you’re not an advanced user, you can still get at this data using Mobilescope.”

When a person signs up for Mobilescope, a configuration file is sent to his device. Once installed, this file causes all future Internet traffic to be routed through a Mobilescope server so that it can analyze the data that comes and goes to the device and its apps.

That arrangement is possible thanks to the way that smartphones are designed to be compatible with VPNs, or virtual private networks — encrypted communications that some businesses use to keep corporate data private. That design doesn’t add much delay to a person’s connection, says Soltani, in part because users are connected with a server as geographically close to them as possible.

Mobilescope can even examine data that is sent over the most common types of secure connection used by apps, similar to those used by banking websites, by intercepting the certificates involved. The service cannot decrypt other data, but Soltani says that few apps bother to use encryption. Data collected by Mobilescope is discarded after each session of use, and is only ever stored on a person’s own device.

Soltani says he doesn’t imagine Mobilescope will have the mass appeal of something like Angry Birds, but he hopes it will encourage journalists, activists, and ordinary smartphone owners to look into what apps do, and will help put more pressure on app developers to respect privacy.

“Added transparency for everyone — app developers, users, regulators — will help the whole mobile ecosystem.”

An earlier version of Mobilescope gave users the power to send fake data to certain apps, for example sending a spoof location. “We had to pull that out because the ecosystem is not ready for it,” says Soltani, who says this broke some apps, sometimes in ways that could harm other users. A separate project does make that tactic available to Android users willing to use a modified version of their operating system.

(MIT Technology Review)

In April, Xuxian Jiang, an associate professor at North Carolina State University, published a study showing that the ad systems included in many Android apps endanger users’ privacy. Around half of these systems monitor a user’s GPS location, and some also collect call logs and other sensitive data.

Jiang, who has uncovered other security and privacy flaws with mobile apps, said Mobilescope will be an “interesting” new tool for keeping tabs on apps. However, he adds that it can’t be guaranteed to catch everything, and says mobile privacy can only be improved with greater transparency from developers, improved privacy statements, and action from the creators of mobile operating systems.

“[We] need of mechanisms for users to actually control apps’ access to various personal information,” he says.

Justin Brookman, who directs consumer privacy activity at the Center for Democracy and Technology, says this will require changes to the law, which currently simply encourages companies to write very broad privacy policies to avoid the penalties for writing false ones.

“Detailed disclosures are actually deterred by the law,” he says. The CDT is attempting to get legislation introduced that instead requires companies to explicitly tell consumers what’s happening to their data, and to provide them with more control over it.

This article originally published at MIT Technology Review
here

Read more: http://mashable.com/2012/08/10/detect-apps-leaking-data/

Could This Startup Spot the Next Big Banking Scandal?

Could-this-startup-spot-the-next-big-banking-scandal--f35883e29c

The average financial institution exchanges anywhere from 1 million to 3 million emails per year. Buried within all the missives about meetings and lunches might be a few damning indicators of a brewing fraud.

A company called Digital Reasoning hopes to help banks find this critically important information with machine-learning software that raises red flags found in messy, or “unstructured,” text data, including emails, tweets and document files.

The software uses statistical models to break down sentences and infer their meaning. This is important because finding warning signs may not be as simple as matching a string of text.

The company aims to help banks benefit from the exploding volume of data available to them that is, at best, underutilized today. More and more, businesses view data as a raw material that can be turned into a valuable resource — if only they could figure out how to use it.

Digital Reasoning, founded 12 years ago, has already worked with intelligence agencies. The U.S. Army began using its software in Afghanistan in 2010 so that officers could weave together insights from disparate intelligence documents, says CEO Tim Estes.

After searching for an insurgents’ name, for example, the program could turn up the person’s known aliases or his connections to other people or groups. And the output could be organized on a map of the country. In-Q-Tel, a venture capital firm backed by the CIA and Silver Lake Partners have both invested in the company.

Now Estes hopes financial institutions will buy the software. After a few months of meeting with technology executives at some of the world’s biggest banks, he believes there is a “pressing need” for the service.

Financial institutions could save billions by spotting fraud or insider trading by employees, or catching financial advisors giving unethical or illegal advice. U.S. Senate hearings later revealed that in 2007, before the financial meltdown, Goldman Sachs employees wrote emails bragging of selling blatantly terrible investments to clients. Estes says his software could have helped compliance departments catch such activity.

Digital Reasoning recently took part in the FinTech Innovation Lab demo day, an annual event dedicated to financial technology and organized by the New York City Investment Fund and Accenture.

Cris Conde, the longtime former CEO of the Fortune 500 software company SunGard, who advised all of the companies in the Fintech program, says Digital Reasoning’s services are hugely needed in the financial sector. Surprisingly, he says, banks are far behind the technology curve in analyzing the exploding terabytes of information that don’t fall neatly into spreadsheets or involve directly “optimizing” a transaction.

Digital Reasoning’s software uses training algorithms to read and assemble masses of e-mails and other text data, and then sorts the words and sentences into organized relationships that can be compared in context. This data can be searched, or alternately, be used to trigger preset alarm bells automatically.

HP, Microsoft, IBM and Oracle have all developed similar text analytics software. But these programs mostly analyze whole documents based on preset rules rather than using algorithms to break down words and phrases in context. And they generally require a human to read actual text once groups of documents are clustered, says Estes.

In contrast, Digital Reasoning’s software can directly display the relevant text data and linkages — as if the user already took notes — and might deliver crucial information in minutes, Estes says.

Image courtesy of Flickr, MyEyeSees

This article originally published at MIT Technology Review
here

Read more: http://mashable.com/2012/08/08/digital-reasoning-startup/