Last month, Facebook and Twitter admitted that data of hundreds of their users was improperly accessed by some third-party apps on Google Play Store. Security experts found that software development kits (SDK) of two apps, viz., One Audience and Mobiburn, were leaking users’ personal data when they used Facebook and Twitter. This vulnerability affected only Android users.
Twitter says this issue is not due to vulnerability in its software, but rather due to lack of isolation between SDKs within an application.
"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android. However, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," said Twitter.
Facebook removed both the apps, One Audience and Mobiburn, from its platform for violating its policies.
Many mobile users opt for third-party apps for using Facebook and Twitter since these third-party apps provide more features compared with official apps. For example, WhatsApp users still cannot schedule a message, while a third-party app (now banned) allowed scheduling messages.
However, this does not mean that we should overlook data privacy issues in any app just because of some features.
In an advisory, Indian Computer Emergency Response Team (CERT-In) says, "SDKs are software, embedded into third-party applications, allow users to sign in using their social network credentials and help app programmers to monetise their products through targeted advertising. It is reported that Facebook and Twitter notified some companies about malicious SDKs that allowed certain third-party apps to collect users’ data from their apps without their permission."
Last month, Facebook revealed that at least 100 app developers may have accessed Facebook users' data for months, confirming that at least 11 partners "accessed group members’ information in the last 60 days."
The social networking giant found that the apps—primarily social media management and video streaming apps—retained access to group member information, like names and profile pictures in connection with group activity, from the group’s application programming interface (API).
So how are you supposed to protect your data and privacy from falling into the hands of unwanted parties?
Here Are Simple Rules You Can Follow
1. Never use any third-party app for carrying out critical tasks. For example, if you want to transfer money to someone, use your bank's authentic app instead of some other app that may provide this facility. This applies to unified payments interface (UPI) apps, too, as banks are providing UPI facility from within their authentic app.
2. In case you must use a third-party app for anything on your mobile, do check all the permissions required by the app. If you are not comfortable in the third-party app seeking unnecessary permissions, such as Torch app seeking access to contacts, then do not install the app.
3. If you have already installed such third-party app, remove it for accessing unnecessary data or information and features, like using data network, Wi-Fi or Bluetooth.
4. Regularly check apps that are installed on your mobile device. If there is any app that you have not installed or have never used, uninstall it.
5. Never install any app that you may have downloaded, or received, other than from Play Store.
6. Do not click on any web link for downloading and installing any app.