Private property: The case of third-party wearable apps breaching privacy

In the era of wearables and third-party apps, privacy is becoming a concern in the digital world. Here's how it could be impacting you.

In the past few years, there has been much talk about privacy in today's digital world. Messaging and email services as well as social media platforms have reacted to this need, announcing measures to protect a user's personal data. But, at times, the lure of wearables makes it easy to forget, or ignore, the security risks involved. And their increasing popularity means that more and more people are affected by any potential breach.

"Today, wearables measure your heart rate, distance travelled, speed, total calories consumed, sleep patterns, breathing rate, stress level, and different types of brain activities, etc. In order to get more valuable and actionable insights from the analytics capabilities of the service providers, consumers have started to share more and more data," says Jasmeet Singh, CEO, Portronics Digital.

The market of wearable fitness and personal health devices is pegged to be worth$5 billion in 2016, according to analysts at Gartner. Users have access to gadgets that range from the Apple Watch to Google Glass. With them, come a range of apps. Because wearable devices come with smaller screens and more intuitive interfaces, users tend to rely more on apps installed on them. They also tend to use them on the go, which means greater volume of information is generated in real time and shared constantly, putting privacy at risk.

Share with care

"Our research shows that all the wearable activity-tracking devices, including those from leading brands, are vulnerable to location tracking. Recent research by Symantec on the evolution of ransomware (a type of malware that prevents or limits users from accessing their system) highlighted that Android ransomware can easily be made to run on Android Wear devices. In fact, one of our key predictions from the research is the possibility of seeing ransomware beginning to target Internet of Things and wearable devices since they are at the forefront of a growing trend," says Ritesh Chopra, country manager, India, Norton by Symantec.

At risk

What most users forget is that most data shared on connected devices is stored on a remote server with a user's sign-in details. This potentially gives the manufacturer information that can be used to serve ads and other targeted campaigns. Also, you're relying on that company to keep that data safe. So, the more data one shares, the more wary the individual needs to be. That's not all. Personal data shared, such as your name, age and location, can also aid criminals in stealing your identity.

"Users install apps and give away access rights without looking at the categories. This is a big mistake. Kaspersky Lab team has researched the many ways in which wearable devices interact with phones. According to our findings, the authentication method implemented by several popular brands allows a third party to connect invisibly to the device, execute commands, and, in some cases, extract data from the device," says Altaf Halde, managing director, South Asia, Kaspersky Lab.

So, what are we doing wrong? While giving permission to third-party apps or wearable devices to avail of our information, we tend to give away far more access than we intend to. The reasons vary from lack of time to read what information the app is asking for, to the inability to understand a certain app's privacy policy due to complicated wordings. "The biggest mistake we make while sharing information is that we press 'okay' without deliberating what information the app is asking for. Ideally, one should refrain from sharing contacts, browsing history and other personal information. Also, most consumers don't demand minimum or clear information about what exactly the collected information will be used for," says Nikul Raj Gupta, CEO, ENRG.

Unfortunately, there is little consumers can do to protect themselves from these risks. "It is really up to the wearable technology manufacturers themselves to add security (measures) into their devices. But consumers should get the option to delete their personal data whenever they want to," says Halde.

CHECKLIST

Here's what you should avoid:

#Using personally identifiable information: Avoid any personally identifiable information, such as your name. Use an alias instead.

#Keep Wi-Fi, Bluetooth on: Turn them off when these devices are not being used to avoid continuous data transfer.

#Not checking the privacy policy of the apps: Always check the privacy policy of the apps that you download. If there is no privacy policy available, do not download it.

#Not verifying what the app wants to access: Be aware of what data the device or app wants to use on your phone. If it seems illogical, deny permission.

#Not being cautious of what you share: Social sharing features can give away your location and when you were working out. Cybercriminals can use this to track your movements.

#Not updating software: Install apps and OS updates as soon as they become available. They can help patch newly discovered security holes.

—Ritesh Chopra, country manager, India, Norton by Symantec

DID YOU KNOW?

According to consulting company Accenture, 54% of the 6,000 people who participated in a 2014 six-country survey said that they were interested in buying a health tracking device, while another 52% said they were interested in tracking fitness. India showed the highest interest in wearable fitness and health trackers, with 81% saying that they would be willing to buy one

A 2016 study from researchers at the University of British Columbia and the University of California, USA, shows that, too often, consumers are unaware of what their Android apps are accessing. If they were, they'd like to stop it

A 2015 study by university researchers from the Massachusetts Institute of Technology, Harvard and Carnegie Mellon University in the US found that 73% of Android apps shared personal information such as email addresses with third parties, and 47% of iOS apps shared location data with third parties

Another survey by Pew Research Center in 2015 found 235 types of permissions on more than one million apps in the Google Play Store. About 60% of people using the Play Store had decided against installing an app when they discovered how much personal information is required, and 43% had uninstalled an app for the same reason.