How Much Data Do Retailers’ Apps Really Expose?


When it comes to their access to customer data, some retailers’ mobile apps might have landed on Santa’s naughty list this year.

They’ve at least caught the attention of software security company Avast, which has undertaken the process of informally investigating a random selection of mobile applications from Home Depot, JCPenney, Macy’s, Safeway, Target, Walgreens and Walmart to find out just how much these major retailers are able to know about their customers through their apps.

In a blog post that deals specifically with Target and Walgreens, Avast says that it turns out, quite a lot. The company also reports that not all of the data collected is essential for the apps’ functionality.

Users who maintain a Christmas wishlist on Target’s app may be unwittingly exposing it to more than their family and friends, due to the fact that, according to Avast, Target’s API is easily accessible online and does not require authentication. Anyone who can figure out how the user ID is generated for the mobile app (which the “Avast Security Warriors” did) is able to automatically parse the data stored within it.

With relative ease, Avast gained access to 5,000 inputs containing names, email addresses, shipping addresses, phone numbers, the type of registries and the items on the registries in Target’s mobile app database (the outlet makes it clear that it did not store any of the personal information that was uncovered).

As for Walgreens, Avast deems that retailer as the one whose mobile app requests the greatest amount of extraneous permissions (the story also notes that Home Depot came in second in that regard). Walgreens’ app has access to change a user’s audio settings, pair with his or her bluetooth devices, control his or her smartphone’s flashlight and run at startup — all of which, Avast points out, are completely unnecessary for the app to function properly.