The holiday season is in full swing and consumers are using mobile apps to shop, have a bit of fun and even to donate to charities. According to Appthority Inc., a provider of app risk management services, consumers may be putting both personal and enterprise data at risk by using certain holiday apps.

Appthority’s Enterprise Mobile Threat Team analyzed 10 popular holiday apps in categories that include holiday fun, shopping, holiday cards, and donation apps and labeled each app as ‘naughty’ or ‘nice’, depending on how secure it is.

Along with obvious security risks, Appthority pointed out that apps used only over the holidays are often installed, used for a week or two, and forgotten by consumers. As these apps are unlikely to receive any updates – to security or otherwise – until the next holiday season, they pose a significant risk when left installed on devices, especially those also used within an enterprise environment.

Of the 10 holiday apps tested, only two made it onto Appthority’s ‘nice’ list. Below is a breakdown of the ‘naughty’ and ‘nice’ list of holiday apps.

‘Naughty’ holiday apps posing a security risk

Elf Yourself, an app that lets users “elf” themselves and star in a personalized video featuring their photos on holiday dancing elves, was found to disclose file paths to its source code, exposing information related to the app developer and development environment.

Appthority was able to identify the software developer and related personal information such as social media profiles, information the company says can be used to launch phishing attacks using social engineering to get at sensitive corporate data handled by the app.

Shopping apps ShopSavvy, Shop Advisor, Amazon and Walmart all made it onto the naughty list thanks to risky behavior such as operating in the background when not in use. When it comes to protecting personal or corporate payment information, Shop Advisor and Amazon encrypt personally identifiable information (PII) while ShopSavvy and Walmart employ no encryption of PII, leaving users vulnerable to attack.

SomeEcards, JustWink and 123Greetings, all apps that allow users to send digital holiday cards, were found to send personal data to third parties, including ad and social networks. 123Greetings stood out as more ‘naughty’ than the rest as its permissions include access to a user’s address book, permission to make calls and send SMS messages, all far removed from the app’s advertised purpose.

‘Nice’ holiday apps that are safe(r) to use

Got Free Cards, another digital holiday card app, shares data with ad networks but still made the ‘nice’ list since it collects minimal personal information about its users.

Donation app One Today is also on the ‘nice’ list as it doesn’t collect unnecessary information and employs encryption to safeguard the personal information is does collect.

As Appthority suggests, it’s best to delete holiday apps – or any other apps, for that matter – that you no longer use regularly to protect yourself and your employer. Or simply avoid the risk by not using risky apps in the first place.

Image credit: Andy Blackledge, Flickr