Apps released by the campaigns of top 2016 presidential candidates contain security weaknesses that may leak users’ personal information, according to a report released on Monday by the cybersecurity firm Symantec.
The problematic apps aren’t limited those released by third-parties, though third-party apps make up the vast majority of available 2016 apps. Apps promoted by the campaigns of Texas Sen. Ted Cruz (R) and Ohio Gov. John Kasich (R) also have the potential to have their data intercepted by third parties.
Over the course of the 2016 election cycle, the number of smartphone apps about the race has skyrocketed. Between last November and this March, the total number of instances of presidential-primary apps being installed on mobile devices has jumped from 1000,000 to over 140,000, Symantec found. A full three-quarters of these apps are in some way connected to GOP frontrunner Donald Trump. Vermont Sen. Bernie Sanders was the focus of 13 percent of election apps, former Secretary of State Hillary Clinton was at 7 percent, and three other Republican candidates shared the remaining five percent.
The overwhelming majority of these apps are not released by the campaigns of any individual candidate.
“In the case of the official John Kasich 2016 mobile app, every app you have installed on your device and your location may be exposed.”
“Downloading election apps may be a quick way to surrender your sensitive data to unwanted eavesdroppers, especially if you use unsecured Wi-Fi or automatically connect to public Wi-Fi hotspots,” the report reads. “Symantec has found that out of more than 1,200 presidential primary-related Android apps we looked at, more than 50 percent exposed sensitive data. Of the most popular primary election apps we observed—those with more than 1 million downloads—nearly 25 percent were found to be exposing sensitive data.”
The most common type of information exposed by these apps was a list of the other apps installed on a given device, followed closely by the type of device itself. Just over 10 percent revealed the user’s location, the international mobile subscriber identity (IMSI) number specifically identifying the user’s SIM card. Two percent of the apps or below exposed information like phone numbers and user names for social networks like Facebook or Twitter.
Many of these problems extended to the mobile apps of the candidates.
“We found the official apps for John Kasich and Ted Cruz may expose sensitive data,” the report notes. “In the case of the official John Kasich 2016 mobile app, every app you have installed on your device and your location may be exposed. In the case of the official Ted Cruz ‘Cruz Crew’ app, your mobile device details and unique IMSI identification may be exposed.”
This report is not the first time the Cruz campaign has been dinged for its app. Last year, the campaign received criticism for encouraging supporters who had downloaded the app to share the contact info of their friends and family members with campaign through the app.
“The primary related subcategory of apps falls near the middle with respect to PII [personally identifiable information] exposure when compared to other categories,” Symantec engineer Shaun Aimoto told the Daily Dot in an email. “Finance apps expose PII much less often, and mobile games expose PII much more often.”
Researchers also looked at the mobile app released by the Sanders campaign, but they found no information exposure.
Officials from neither the Cruz nor Kasich campaigns responded to requests for comment.