The new Mobile App Profiler (ZAP) from ThreatLabZ at Zscaler is a free online tool that makes it easy for users to assess mobile apps for security risks. ThreatLabZ, Zscaler's security research arm, used ZAP in research which revealed that up to 10 percent of mobile apps expose user passwords and login names, 25 percent expose personally identifiable information and 40 percent communicate with third parties. There are over one million mobile applications, and more than 1,500 new apps being released every week. Users who download these apps, even from trusted sources, assume security measures are built-in. However, ThreatLabZ' research showed that is not always the case. The ThreatLabZ team analyzed hundreds of applications, and found that many popular apps leave user names and passwords unencrypted, while others are insecurely sharing personal information – such as names, email addresses and phone numbers – as well as communicating with third parties, including advertisers. “App stores have strict guidelines about which logos and colors developers can use, yet application security remains largely unenforced,” said Michael Sutton, vice president of Security Research at Zscaler. Sutton suggested that by using ZAP, both average consumers and corporate IT staff could easily assess the security risks of apps before they are installed, and analyze installed apps for privacy violations. ZAP is accessed online through http://zap.zscaler.com. Use the tool to search the name of any iOS or Android app, and receive an assessment of its security and privacy risks, along with an overall risk score. Users can also use ZAP to scan traffic from an app installed on their device to see whether their own data is being exposed. No security expertise is needed to use ZAP. As more users submit mobile apps for analysis, Zscaler's ThreatLabZ team adds the results to the ZAP database, in effect crowdsourcing the security profiles of thousands of mobile apps. A video walkthrough on how to use the tool is available at youtube/r9pW8PCyxCo. Saudi Gazette tried ZAP and found that for popular apps, the tool provides an immediate assessment. But for new, or less well-know apps, the tool advises, “ZAP has added the application into the analysis queue so that it will be analyzed by the ZAP team.” It then provides the option for the user to scan the app – which requires the official Apple iTunes/Google Play URL plus the SSL certificate. That's simply not convenient for most people. If the tool becomes popular and Zscaler puts more resources into app analyses the crowdsource concept will pay off and more app security information will be available to casual users.
