Don’t trust your apps, mobile security specialists warn

Do you know what data the apps on your smartphone are collecting? For most of us, the answer is probably, “I have no idea.” We swipe quickly through the download prompts without thinking twice.

That’s why a panel of app developers and mobile security specialists sent a warning during a panel at the SXSW tech conference in Austin, Texas, on Friday. They say users need to start taking a far more proactive attitude when it comes ensuring that their information is safe.

As mobile apps become increasingly ingrained in all facets of people’s lives—from romance to banking—the average smartphone in 2014 has come to hold a shockingly large amount of information about its owner.

?Think about everything about you that’s on your phone,” panelist Erich Stuntebeck, director of mobility research at enterprise mobile software developer Airwatch, said. ?There are people who will pay good money for that data on some dark corner of the Internet.”

One of the main issues is app permissions. When someone downloads an app, it’s typically required to explicitly ask for the user’s permission before it can start accessing data contained on the phone. These requests can include things like access to a phone’s address book or permission to automatically make posts on the user’s Facebook wall.

Stuntebeck urged the audience not to automatically press OK—as most people do almost instinctively—but actually give some consideration to what it’s specifically asking for. ?Be careful about what permissions you grant to an app,” he advised. ?If you’re downloading a flashlight app, why does it need to know your GPS location?”

Panelist Alan Murray, a vice president at the mobile app development company Apperian, noted that, in some cases, saying you don’t want an app to access your phone’s data doesn’t mean the program won’t just do it anyway:

A lot of times you download an app and it asks to use your location data. You say ?no’ and you assume that it isn’t going to track you, but that’s not necessarily the case. It’s connecting to a web service, looking at your IP address and figuring out where you are from there. There are a lot of techniques they can use to still find your location. These apps are extremely dangerous because they’re lulling you into a false sense of security that your location isn’t being tracked when it actually is.

?Just because you trust an app today, doesn’t mean you trust it tomorrow,” added Murray. ?Once you’ve accepted an app, you’ve given it carte blanche. The behavior of that app may change tomorrow with the next update to something you’re not comfortable with.”

Putting the responsibility of ensuring data privacy entirely on users however is, in many ways, problematic.

Within the tech-savvy confines of SXSW, it can be reasonably assumed most people understand the privacy risks every time they download a new app and how to minimize those risks. But that expectation may be unreasonable for a general public that just wants to check out the new flavor of the week and then get on with their lives—especially when 90 percent of all apps are deleted after a single use.

The panelists advocated for smartphone users to take advantage of mobile security apps like Avast that scan phones for viruses and malware hidden inside apps.

Even so, the panelists acknowledged that simply by exclusively downloading apps from trusted marketplaces like Google Play or the Apple app store users increase their security substantially. The companies enforce rigorous evaluations before granting an app approval to be sold on the platform. The panelists pointed out app security is a bigger issue outside of the United States, particularly in developing countries, where people download a lot of apps from less trustworthy marketplaces.

Pointing to Apple’s famously stringent approval procedures, the panelists mostly felt that the ecosystem of iPhone apps is the safest; however, Murray cast some doubts.

?I would have agreed with the statement that Apple users are safer than those on Android until about three weeks ago, but now I’m not so sure,” he said pointing to recent revelations about the goto fail exploit that an iPhone app could use to capture encrypted data sent over the device. ?But I would say that the vetting process is tighter on the Apple app store than on Android.”

When moderator Fahmida Rashid, a security analyst at PC Magazine, asked the audience what type of cell phones they used, she discovered the room was about evenly split between Apple and Android phones. But, when she asked if anyone used a Windows phone, she was the only person in the room who raised her hand.

?Maybe the most secure mobile phone platform is the one the least number of people use because that’s the one hackers are least likely to develop malware for,” Stuntebeck answered with a laugh.


Photo by GAMEVIL Inc./Flickr (CC BY-SA 2.0)

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.