Sign up to our newsletter
There are hundreds of thousands of applications available for iOS, Android, Windows and Blackberry, via their respective app stores and third-party sites. But not all of them are worth your time and money. We Live Security looks at five signs the app you’re about to download could be risky, and worth investigating further.
Perhaps the biggest complaint right now with mobile applications, irrespective of which operating system they run, is that they require too many permissions before you can download the application.
For example, take your average free flashlight app. There’s no real reason for any of these to have access to core device functionality and yet many apps like these want to tap your contacts, photos and location. There are also other apps, such as one showing cinema showing times, requiring access to your photos.
Why is this risky? Well, for starters, you don’t know if this vendor is securing this information and, more likely, if they are collecting and then selling this information onto third-parties like ad networks and analytics companies.
And with many of these apps asking for your location, tracking becomes a potential concern with some experts suggesting that the information, if it ended up in the wrong hands, could alert criminals to when you’re not at home.
Increasingly, mobile apps on app storefronts are free but with a catch; the free app will serve ads and come with standard features, while those seeking an ad-free experience with more functionality will have to upgrade in-app.
On most occasions this is a mild irritation but there have been occasions where ad networks, used to insert ads into apps, have been hacked. For instance, the “Vulna” ad library, which collected personal info about users, could be used to attack Android devices. Researchers estimated that apps running Vulna in the background had been downloaded more than 200 million times.
Name looks similar to existing app
iTunes and Google Play are generally very good at spotting malicious apps, but some do still get through the app review process. Meanwhile, other users are putting themselves at substantially more risk by downloading apps from third-party app stores.
It’s on these third-party app stores that you need to be especially vigilant, watching out for malicious software disguised to look and feel like the legitimate app. They could be a carbon copy, but still be secretly harvesting your details. Alternatively, and this is especially true on those third-party market places, they could be legitimate, but cracked and repackaged by criminals.
In-app purchases are a risk, but not so much from a security perspective. Instead, they are a concern because users can unknowingly spend much more money when inside an app than initially intended.
There have been numerous stories about children, using their parents’ iPhone or iPad, racking up application bills into the tens of thousands. This forced Apple to last year settle with the FTC for $32.5 million to provide full-refunds to certain apps.
Users, and especially those with children, should therefore look to limit the child controls on their iOS and Android devices. In iOS, go to settings, general, restrictions and ‘enable restrictions’. For Android, go to the app settings, user controls and set a PIN to confirm in-app purchases.
Authentication is always an issue with any online service; passwords are crackable and difficult to manage, while even biometrics and Single Sign On (SSO) have flaws.
The latter, which lets you use your Facebook or Twitter profile to log-in to various sites, is a bonus for speed and convenience but isn’t immune from attack. Hackers could well launch a brute-force attack against the passwords used for these social networks – and subsequently gain access to any other accounts using the same credentials to log-in.
Biometrics is also not infallible if there’s no back-up authentication method; just last week, researchers showed how they could clone a fingerprint on a Samsung Galaxy S5.
Furthermore, even though Apple prohibits iOS developers from accessing the device identifier, the UDID, a study from Appthority last summer showed that 26 percent of the top iOS apps still did.
The lessons in all of this is only use SSO for apps and sites you really trust, and to use two-factor-authentication (2FA) where possible as a secondary method for authentication.
The sad fact is that many application developers are rushing their apps to market so quickly that they sometimes don’t get the code right, with security and privacy often not in-built from the start. Look at all those apps with exposed vulnerabilities and there’s your proof.
A requirement of all applications should be that they encrypt your data from end-to-end – including when in transit and when at rest. However, as apps like WhatsApp, Viber and numerous others have found out, a lack of encryption could be exploited, enabling hackers to steal all data about the user, including name, email address, phone number, home address, and credit card info.
Sadly for users, there’s no immediate way to check if an app is securing the data it saves or transmits. The only thing you can do is check the terms and conditions, the permissions and read app reviews. Those who are technically more advanced could monitor app data transmission and storage, but this is more difficult to do.
Author Karl Thomas, ESET