There has been a bit of a dust up on the Internet over a video from Fox News between journalist Bret Baier and security consultant Gary Miliefsky, SnoopWall CEO. In the interview Gary claims that the top ten smartphone flashlight apps are collecting information on the user and sending it to foreign countries such as India, Russia, and China. He states that this information is probably being used to mount cyber-attacks against American assets. interestingly enough his company also provides a flashlight app that does not spy on the end user.
I found this claim to be a questionable, so I did a little more digging. As it turns out, when you install a flashlight app it asks for all sorts of permissions that are not strictly speaking necessary to provide local illumination. In another article on Lifars, the question is asked:
Why does an app that should only be using your LED light need permissions to know your GPS location, access your photos and videos, your camera, microphone, full network access, and so on? The answer as simple as it is worrisome: It’s spying on you. The worst part is, it’s not a secret. After complaints about the surveillance of these apps to the FTC, the makers of the no.2 app on the Android Play Store were sued by the FTC and settled the lawsuit. Now, the app presents the users with a lengthy EULA that most likely no one reads, where it in fact tells the user that they’ll be spied upon.
But looking into this issue on Snopes they concluded that this claim is partially true and partially false. Yes, the flashlight apps as for all these intrusive permissions, but then so do most smartphone apps, things like games that really don’t need your location information collect it anyway. Why is that? The reason is that we all like “free” apps, and in this case the apps are being paid for by the data mining operations that are going on in the background at the companies that develop these apps. Your habits and behaviors are being aggregated with those of millions of other users and being sold to marketing companies.
Could the information being collected by your smartphone apps be used against you in a personal attack. I have to conclude that this is in fact a possibility. But I consider this to be unlikely. Perhaps the thing to do is go into the setting for these apps and rescind the permissions we granted at installation, and see if the app still works.
My recommendation: keep your app and just be aware of what you agreed to. If you are really concerned about this issue, then you really need to consider getting rid of your smartphone entirely, because the smartphone itself is reporting all this information to Google, Apple, or Microsoft already.
ShareOCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com