Data Security Risks of Using Foreign-Developed Mobile Apps in the United States

Data Collection and Security Risks

Users should be aware of what user data these apps request access to upon download. When access is permitted by the user, the app can persistently collect data and users' private information throughout the device, not just within the app or while the app is active.

• Some platforms offer the option to invite friends or contacts to use the apps. With default permissions, developer companies can store collected data on users' private information and address books, such as names, e-mail addresses, user IDs, physical addresses, and phone numbers of their stored contacts. This permission gives the apps access to a host of personal information belonging to both users and non-users in their contact lists.
• The apps' privacy policies list where the collected data, including personal information and system prompts, is stored. Some of the apps state that the collected data is stored on servers located in China for as long as the developers deem necessary. Some apps allow users to choose to run the app locally by downloading a version directly to the users' devices, which allows users to run queries without accessing the cloud-based version; this may prevent data transfer to China or a third country. Some apps do not allow the users to operate the platform unless users consent to data sharing.
• Some apps may also contain malware that could collect data beyond what is authorized by the user. This could include malicious code and hard-to-remove malware designed to exploit known vulnerabilities in various operating systems and insert a backdoor for escalated privileges, such as enabling the download and execution of additional malicious packages designed to provide unauthorized access to users' data. Downloading apps from unfamiliar websites or third-party app stores runs a higher risk of embedding malware. Official apps stores scan for malicious content, lowering the risk of malware or malicious code on devices.

Tips to Protect Your Data

These data security risks are not specific to only mobile apps or those which are foreign-developed. Good cyber hygiene is crucial to protecting your digital identity.

The FBI recommends individuals take following precautions:

• Disable unnecessary data sharing;
• Only download verified apps from official app stores;
• Change and update passwords regularly;
• Perform regular device software updates; and
• Read the terms of service or end user license agreement before downloading apps.

The FBI recommends using the following resources to help to protect your data:

• FBI — On the Internet: Be Cautious When Connected
• US Army Special Operations Command — Safeguard Digital Identity Protection Toolkit
• FTC Consumer Advice — Online Privacy and Security

Report It

If you believe your data has been compromised, or you have experienced suspicious activity related to a foreign-developed mobile app, file a complaint with the IC3 at www.ic3.gov. Be sure to include any available information including:

• Device type and operating system;
• Name of the app and the developer or company;
• Where the app was downloaded from;
• Date the user downloaded or began using the app;
• Specific permissions granted to the app;
• Types of data believed to be compromised, such as contact lists, location, messages, photos, etc.;
• Any suspicious activity on the device or accounts after installing the app, like unusual data usage, battery drain, unauthorized access, etc.;
• Whether the app was used via cloud-based or locally downloaded version;
• Any malware detection altars or security warnings received; or
• Financial losses or identity theft resulting from app use.