10% of Mobile Apps Leak Passwords, 40% Communicate with Third Parties

San Jose, California, October 8, 2012

Zscaler, the leader in security cloud solutions, announced today the results of an analysis from ThreatLabZ, the company’s security research arm, which reveals that up to 10 percent of mobile apps expose user passwords and login names, 25 percent expose personally identifiable information and 40 percent communicate with third parties. The analysis was done using the new Zscaler Application Profiler (ZAP), a free online tool that makes it easy for users to assess mobile apps for security risks.

There are over one million mobile applications, and more than 1,500 new apps being released every week. Users who download these apps, even from trusted sources, assume security measures are built in. However, the new research from Zscaler ThreatLabZ shows that is not always the case. The ThreatLabZ team analyzed hundreds of applications, and found that many popular apps leave user names and passwords unencrypted, while others are insecurely sharing personal information—such as names, email addresses and phone numbers—as well as communicating with third parties, including advertisers.

“App stores have strict guidelines about which logos and colors developers can use, yet application security remains largely unenforced,” said Michael Sutton, vice president of Security Research at Zscaler. “Using ZAP, mobile app developers, users and corporate IT organizations can easily assess the security risks of apps before they are installed, and analyze installed apps for privacy violations.”

Zscaler’s Application Profiler is an easy to use online tool where users can search the name of any iOS or Android app, and receive an instant assessment of its security and privacy risks, along with an overall risk score. Users can also use ZAP to scan traffic from an app installed on their device to see whether their own data is being exposed. No security expertise is needed to use ZAP. As more users submit mobile apps for analysis, Zscaler’s ThreatLabZ team adds the results to the ZAP database, in effect crowdsourcing the security profiles of thousands of mobile apps. A blog post with video walkthrough on how to use the tool is available at http://research.zscaler.com/2012/10/introducing-zap.html.

Sutton is debuting the free ZAP tool at the RSA Conference on Tuesday, October 9th, at 3:30pm GMT, where he is presenting a session titled “Opening the Kimono; Automating Behavioral Analysis for Mobile Apps.”



About Zscaler

Zscaler is revolutionizing Internet security with the industry’s first Security as a Service platform. As the most innovative firm in the $35 billion security market, Zscaler is used by more than 5,000 leading organizations, including 50 of the Fortune 500. Zscaler ensures that more than 15 million users worldwide are protected against cyber attacks and data breaches while staying fully compliant with corporate and regulatory policies.

Zscaler is a Gartner Magic Quadrant leader for Secure Web Gateways and delivers a safe and productive Internet experience for every user, from any device and from any location — 100% in the cloud. With its multi-tenant, distributed cloud security platform, Zscaler effectively moves security into the internet backbone, operating in more than 100 data centers around the world and enabling organizations to fully leverage the promise of cloud and mobile computing with unparalleled and uncompromising protection and performance. Zscaler delivers unified, carrier-grade internet security, next generation firewall, web security, sandboxing/advanced persistent threat (APT) protection, data loss prevention, SSL inspection, traffic shaping, policy management and threat intelligence—all without the need for on-premise hardware, appliances or software. To learn more, visit us at www.zscaler.com.


Additional Resources:

Media Contacts:

Whitney Black 
Director of Communications 
650-260-4616
joynpx@mfpnyre.pbz