The Security Cost of Free Smartphone Apps
- July 6, 2016
- Posted by: GSS Ghana
- Category: Information Security, Risk Management
There are hundreds of thousands of them to choose from now whether you have an iPhone, an Android or some other version of smartphone.
Free mobile applications sound like a great bargain, but be aware that if you aren’t careful, the price you pay could be significant. While Apple and Google provide some filtering of applications, their requirements are not as strict as you might believe. Most mobile apps are tracking you and gathering information from your device. The most harmless among them use the gathered information to sell to you based on your habits; others carry malware; and the most harmful blatantly steal your data and attempt to steal your money.
Before you are given access to download an app, you have to check the “Agree to Terms & Conditions” box, giving the application owner whatever access they require to your phone. The app owner may ask for access to many things including:
- Identity – know your identity
- Device ID & call information
- Send and receive text messages
- Make and receive calls
- Access and control other user accounts on your phone like social media accounts…
- Access and control contacts
- Access and control all of your pictures
- Access and control all of your videos
- Access and control all of your SD card content
- Access and control your microphone
- Access and control your camera
- Access and control your video recorder
- Access your exact physical location
- Access and control other applications on the phone
- Read, modify or even delete any file on the phone
- Use and control Bluetooth connections
- Use and control Wireless Network connections
It is wise to assume that any application which asks for one or more specific permissions when you download it is harvesting data from you, data which is valuable to someone. Some “free” apps are tainted with spyware or malware that might be accessing financial account information or credentials stored on your phone. This could allow a thief to steal from one of your accounts and make fraudulent charges.
Applications running in mobile operating systems must sometimes obtain permissions to access certain information in order to work properly. Many apps request permission to do things that have no correlation with what is needed to provide proper functionality to you. Some application owners may not do anything which is blatantly malicious, but they request numerous permissions, permitting them to mine your data. The purpose of this data mining is to market products to you based on your observed activities. Google, Amazon, and many other large companies are already doing this via most of your devices but you can retake control there as well. We’ll save that for another time.
Terms and Conditions – Understand What You’re Allowing
Read what pops up when you ask to download a new app. Most people automatically click yes without reading or understanding the permissions they are granting the app owner.
Too often, users find and accidentally download counterfeit apps that look just like popular apps you may know from Facebook or other sites. You will see this even in the Apple and Google App Stores. Act cautiously and be sure you know and understand what the right app looks like before installing it. Always do your due diligence. Know the app owner, read the app reviews and ratings. Apple and Google are not providing full security reviews of the apps sold or given away there so don’t assume everything there is safe.
Mobile Security Is Critical for the Individual and the Enterprise
The security on a mobile device is often weaker than that on a computer since most of the apps on your computer don’t require access to sensitive information and confidential files in order to function. Use a security container like Good or KNOX so that sensitive data is encrypted and separated from data which you are ok with publicly sharing. The container allows the user to launch a virtual environment where users can more securely access sensitive personal or business files which can include corporate email and other business applications.
Mobile apps that are outside of the container can’t touch anything inside it, and if someone other than you picks up the phone, they won’t be able to access anything inside the container without your credentials. Subscribe to a service or use an application that allows you or your corporation to remotely delete the contents of your phone if it’s lost or stolen. Use reputable mobile security apps that cover many mobile security concerns and is widely trusted by many large organizations.
Keeping Your Mobile Device More Secure
Assume that everything you do on a mobile app can be easily accessed, viewed, and even controlled by others unless you’ve added extra protections like the encrypted container feature we discussed
Mobile Security Tips
- Use two-factor authentication on your phone, and ideally use a one-time password like the Google Authenticator service.
- Use long passwords for accounts, at least 16 characters but ideally 21 characters.
- Backup your mobile phone data locally and if you desire to a cloud service, such as the Google or Verizon Cloud. Make certain that you are not backing up things that you don’t want in the cloud.
- Only download apps you absolutely need for the minimum amount of time you need them.
- Read and know what permissions you are granting and who you are granting them to before you download and install an app.
- If possible don’t download and install apps that must access private data.
- Buy or get apps only from your device’s native store like Google Play and the Apple App Store but don’t assume these apps are safe.
- Research the App on Google to see who makes it and if it has any known security issues.
- Install an App that will check app permissions and access on a daily basis to help you find and uninstall malicious apps. Install an app that will monitor your phone for suspicious activity or known security issues.
- Beware of apps that can access your photos, videos and other files as they may be used for identity theft, blackmail, etc.
- Use a leading mobile security app which actively scans for security issues each day.
- Use a security container like Good to store all your business and private data in encrypted form to improve security of sensitive data.
- Set your phone to notify you when updates are available. Keep all apps up to date and patched but watch for apps that ask for more invasive permissions in order to grant you access to their “new and improved version”.
- Make certain your mobile phone doesn’t store your username or password on any sites where you pay bills or buy goods.
- Turn off Bluetooth, Wi-Fi and GPS when they are not in use.
- Beware of phishing attacks and messages saying you need to change your password.
- Think carefully before clicking any link or attachment you receive in a text or email message. Know the source before you touch it.
Always keep in mind that the safest apps will typically require no special permissions when you go to download them.