Is it worth exposing your personal data in return for the convenience of using pet apps on your smartphone?
Pet apps leaking your sensitive information has probably not been a mindful topic for you. But it may be now, thanks to two recent studies presented at the 2022 IEEE European Symposium on Security and Privacy Workshops conference.
Computer scientists at Newcastle University and Royal Holloway, University of London, on Feb. 28 exposed multiple security and privacy issues. Researchers at both universities evaluated popular Android apps for pets and other companion animals, as well as farm animals. They found 40 leaking user information.
Dubbed pet tech, pet industry developers use the technology to improve the health, well-being, and overall quality of pets’ lives. Apparently, they also use it as a source of data acquisition that puts users’ security at risk.
Pet tech is expanding and includes a wide range of products, including GPS trackers, automatic feeders, and pet cameras, according to a written statement from Newcastle University. Other examples of pet tech include wearable devices that monitor a pet’s activity levels, heart rate, and sleep patterns.
Some of these pet apps control smart feeding systems that dispense food on a set schedule or in response to the animal’s behavior. These apps and platforms also allow owners to track and manage their pets’ health records and connect with veterinary professionals.
The leaky apps problem is widespread, far beyond just pet apps, according to Ashish Patel, GM/EMEA at mobile security solutions firm Zimperium.
The issue is evident across all markets, countries, and applications. It involves sharing unencrypted information in clear text and sharing data on open cloud-based servers.
“It is a problem that is now coming to the forefront, but we see more organizations applying security from development, with scanning technologies in the development of the app to produce more secure apps, to ensuring the app is obfuscated, the keys are encrypted and also as important that it is running on a secure [non-breached] device with run-time protection, Patel told TechNewsWorld
What Researchers Discovered in Pet Apps
Researchers did not divulge the names of the pet apps they analyzed. Nor did they clarify which type of content leaked from specific apps.
However, they verified that the apps sent developers sensitive user information, including email addresses, location data, and pet details, without encryption or user consent.
Several of these apps put users at risk by exposing their login or location details.
Three applications had the users’ login details visible in plain text within non-secure HTTP traffic, which means that anyone can observe the internet traffic of someone using one of these apps and can find their login information, according to the Newcastle University statement.
In addition, two of the apps also showed user details, such as their location. That may enable someone to access their devices and risk a cyberattack.
Tracking software embedded in four apps posed another concern: trackers can gather user data related to how they use the app or the smartphone.
Analysis showed 21 apps track users before they consent, violating current data protection regulations.
Researchers’ Privacy and Security Warnings
Scott Harper, a Ph.D. student at Newcastle University’s School of Computing and the study’s lead author, noted that pet tech products, such as smart collars and GPS trackers, is a rapidly growing industry. It brings with it new security, privacy, and safety risks to pet owners.
“While owners might use these apps for peace of mind about the health of their dog or where their cat is, they may not be happy to find out about the risks the apps hold for their cybersecurity,” he offered in the university’s statement.
Harper urged users to ensure they set up unique passwords, check the settings, and consider how much data they are willing to share.
Report co-author Dr. Maryam Mehrnezhad, from the Department of Information Security at Royal Holloway, University of London, added that using modern technologies to improve several aspects of our lives often involves cheap technologies that come at the price of users’ privacy, security, and safety.
“Animal technologies can create complex risks and harms that are not easy to recognize and address. In this interdisciplinary project, we are working on solutions to mitigate such risks and allow the animal owners to use such technologies without risk or fear,” she said.
Second Study Shows User Complacency
The research team conducted a second study that surveyed 600 participants from the U.K., U.S., and Germany. They questioned the technologies used, incidents that occurred, and the methods used to protect their online security and privacy in general and specifically in pet apps. Researchers published survey findings in the journal Proceedings of the 12th International Conference on the Internet of Things. Their results revealed that the participants believe that a range of attacks may occur targeting their pet tech.
Despite this concern, respondents said they take few precautions to protect themselves and their pets from the possible risks and harms of these technologies. The university statement did not disclose numerical results.
“We would urge those developing these technologies to increase the security of these devices and applications to reduce the risk of their personal information or location being shared,” offered co-author Dr. Matt Leach, director of the Comparative Biology Centre, Newcastle University.
Cybersecurity Insider Reactions
Application developers, especially for apps not “security first” in their nature, often prioritize features and usability over security in a rush to differentiate in-market, according to Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd. Speed is the natural enemy of security, so rapid go-to-market areas like mobile applications see these sorts of issues rather frequently.
“Ultimately, [vulnerabilities vary and] come down to the risk for the individual user. For example, for some people, a privacy violation might not seem that big a deal. For others, it might create an immediate personal safety issue,” Ellis told TechNewsWorld.
Regardless, app developers must ensure that security and privacy controls are behaving as expected by the user, which clearly is not a consistent theme here, he added.
App users should realize that if they are not paying for an app or service, they are the product. Your data and usage are how the company will make money, warned Zane Bond, head of product at cybersecurity software firm Keeper Security.
“Be aware of this and understand that most services are not free. You just do not realize the cost upfront. Even with many paid services, your data is still up for sale,” Bond told TechNewsWorld.