Smart Phone, Bad App

As the number of apps for smartphones continues to grow, perhaps your paranoia about such apps should be growing as well. In an unusual statement, the former director of the CIA has warned that the government isn’t sharing enough information about cyber security.

In an article at http://www.wired.com/threatlevel/2011/03/hayden-cyber/, retired four-star Gen. Michael Hayden is quoted as saying that over-classification is occurring due to bad habits that “are keeping the government from educating the public about the sorry state of cyber security”.

In particular, General Hayden remarks that “In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not — since each represents a potential vulnerability. But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat. To do that we need to recalibrate what is truly secret.”

Yes, each app that you install on your smartphone is a potential vulnerability. It is precisely for that reason you should be making decisions about what you installed based upon rational thought processes. There are some things that the reward is not great enough to warrant the amount of risk taken. For example, you might choose not to drive 120 MPH (193 KPH) because the cost of potentially getting killed or injured isn’t worth the benefit of arriving sooner, or perhaps even the benefit of the fun of driving so fast. If you do choose to drive that fast where it is not permitted, and you do get caught, you may discover that the consequences are so extreme you wish you hadn’t have taken the chance.

When it comes to installing software on your smartphone, take a good look at what you may be risking. Do you do online banking or shopping with your smartphone? Do you have business contacts? Contact for friends? How about access to an email account with private emails? All of the information may be compromised if the wrong app is installed. After you identify what assets you have and their value, then consider the app you are installing. What is the benefit it poses to you? Is it worth potentially risking your information for a funny picture or a game you might play a couple of times a year and can probably play online, rather than installing it on your smartphone?
 
The important thing to notice here is that General Hayden is telling you that each application is a potential vulnerability. This means that you should be prudent when installing applications on your smart phone. Do a serious risk/benefit analysis. Do you use your smart phone for online banking? If the answer is yes, then there is more risk. Do you use your smart phone to compose emails that are private and you do not want shared with anyone other than the intended recipient? If the answer is yes, then there is a significant degree of risk. Do you have business information on your smart phone? If yes, that adds a degree of risk.

Do you know anything about the developer of the app? Reputation is a valid part of the equation, but even reputable developers will make mistakes that can allow a hacker access to your device.

The lessons are something that the automotive industry has yet to learn. As automobile manufacturers add computerized systems to vehicles, it seems that they are not paying attention to the fact that hackers are going to attack these systems, so robust security has not yet become a known quantity in the automotive industry. This is the reason that even your car is a risk from hackers http://www.technologyreview.com/computing/35094/?nlid=4233.
Are you sure you want to install that smartphone app that tells you the state of charge on your car? You have a potentially vulnerable system on your car and now you compound vulnerability by adding another app to your phone. It would be one thing if the app could make the car charge faster, but if the information isn’t going to really make any difference, then perhaps you could do without the amusing app.

I’m not saying that you should not install any apps, but do keep in mind that each app is a potential vulnerability and ask yourself if the benefit the app provides is worth the added risk. Sometimes, even if the benefit is simply entertainment it is worth the risk. Quality of life has value and that is a legitimate part of the equation, but at least do the math!

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author ESET Research, ESET

  • kurt wismer

    i'm all for making rational risk/benefit analysis when possible, but i'm afraid that one side of that equation (the benefit) is unknown before the app is installed.
    one of the main reason anyone installs a program on any computing device is to see what it does and if it can help them do something. on traditional PCs we can do this sort of thing in a sandbox (though most people don't bother), but what can smartphone users do? do smartphone users realistically have the tools necessary to get the information they need in order to make risk/benefit analyses?

  • Randy Abrams

    Often times the benefit is known. If you are installing a game, you know the "benefit". Screen saver, notepad, calculator, barcode scanner, etc. Smartphone users can often assess what the benefit is going to be and then decide if they wish to risk it. In the case of the Android platform the user knows what resources the app will have access to, however not how the app may choose to use the resources.

  • kurt wismer

    i would argue that you're looking at this from the perspective of a security geek rather than an ordinary user. you're making judgments about the benefits of something based entirely on what broad category that thing fits into.

    in theory the benefit of a game is that you can derive enjoyment from it, and yet there are plenty of games that a particular user won't enjoy. so too with a screen saver, a notepad, a calculator, a barcode scanner, etc.

    we don't buy shoes without trying them on first. we don't buy cars without first going for a test drive in them. but with apps we have to commit to installing them before we can try them out and see what the benefits really are.

    furthermore, while you and i may practice a more purpose-driven approach to software procurement, less sophisticated users don't have as clear an idea of what computers are capable of in general or how useful various functions and features can be to them personally and are thus more inclined to follow an exploratory/experimental mode of computer operation. they must suspend judgment because they lack the experience that you and i use to perform the very kinds of classification we're displaying here.

    in short – there really needs to be a mobile device equivalent of a sandbox. not just for advanced users to test software, but also for beginner users to gain experience.

    • Randy Abrams

      I’m suggesting that people realize there is risk, and then decide what they want to install. Right now too many users do not realize there is risk at all!

  • kurt wismer

    that realization is something that comes with experience. not necessarily first hand experience, but experience none the less.

  • Craig

    Randy, you're missing a word in the sentence containing "120 MPH". I suspect the word "killed" or "injured" should go after the words "the cost of potentially getting".     :-)

    • David Harley

      Thanks, Craig. Fixed.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.