Skip to main content

The trouble with apps

(Image credit: Image Credit: Pixel Fantasy / Flickr)

Most of us take great care to protect the personal data stored on our laptops and desktops. We diligently download and apply the latest security updates. We avoid opening emails and attachments from unknown or suspicious senders. When our security software tells us a website is not to be trusted, we quickly click away.

But when it comes to protecting the data on our mobile phones, we are not nearly as careful. We forget that a smartphone is in fact a powerful computer full of personal information that is just as susceptible to hacking as any other computer. We blithely download apps without knowing who developed the app and what its true intent may be—and, in so doing, we are putting gigabytes of our personal and financial data at risk.

One of the main reasons we embrace apps so readily is that they are free. But, as we all know, few things in this world are truly free. So how are the app developers making money? How are they paying their staff, marketing their app and pushing out updates?

Answer: if you, as the end user, are not paying for an app with your hard earned cash, you are paying for it with your personal information. The app might be a calendar, a flashlight or a game but it is collecting some form of compensation from you. And that compensation is your personal information, which the developer is selling to advertisers.

Fair trade or red alerts

Sure, that may seem like a fair trade. Get entertaining and useful mobile apps free of charge and all you have to do in return is scroll through some annoying ads. But that is not all you are giving in return. As mentioned above, you are giving a great deal of valuable personal information. Mobile apps collect massive amounts of personal data—your identity, your location, your online history, your contacts, your schedule and much more. In reality, what you are trading for apps is not merely ads on your phone. You are trading your privacy and allowing continuous surveillance of your activities via your mobile device.

Mostly, this amounts to little. Most apps simply want to know your location so they can serve you location-based ads. But there are a lot of apps out there with more malicious intent—and they want to do far more than serve ads. For example, an innocent-looking flashlight app might immediately ask to access your calendar and address book. This should be a red alert. When an app requests permissions that have nothing to do with its stated purpose, this indicates that the app is doing far more on your phone than you realise.

As users, we need to monitor these permissions very closely. If you were in a shop and the sales assistant asked you for the name and address of all your friends and family members, you’d likely think this request was highly intrusive. And yet we don’t think twice about such a request when it comes from an app. We should.

That is because many apps say they do one thing and actually do many other things as well, often things that are quite ominous. That flashlight app, for instance, might really be looking for passwords to other apps on your phone, like your credit card app or your mobile banking app. In fact, a new type of malware, called overlay malware, actually mimics the functions of real apps on your phone. The overlay malware gets onto your phone, then waits till you launch some other app—for example, your mobile banking app. When you do, it overlays a phishing view on top of the banking app and collects all the data you key in, including your login information.

It can happen to everyone

If you think this can’t happen to you, you probably need to think again. One of the most popular iOS apps right now is Super Mario Run.  The real app is only available in the Apple App Store. However, developers looking to steal user information are busy creating fake versions for Android devices and loading third party stores with the fake apps, some of which are contain overlay malware.

According to recent reports, users are being invited to download phony versions of Super Mario Run, which then ask users to grant various permissions, including administrative rights to the device. When it comes to privacy breaches, this is the next level up. . By providing administrative access to infected systems, users are enabling hackers to monitor the device and steal login data of not just banking and payment apps but also for apps such as Facebook, WhatsApp, Skype, Gmail, and the Google Play store. With these stolen details, criminals can carry out additional fraud.

So what can you do to protect yourself? First and foremost, you should only download apps from official app stores, such as Google Play or the Apple App store. Be sure to do some research before you download any app. Read the reviews and ratings of the app. If it does not have a lot of downloads or user reviews, it could be a malicious app. Also, understand exactly what the app is requesting to access before you grant any permissions. Often you can say no to a permission and the app still runs. If and when it needs access to that data, it will ask again for permission but then you will have an idea of why it wants the data. 

Further, good app hygiene means taking precautions not only when you download an app but also over the lifecycle of your usage of that app. For instance, if you stop using an app, delete it from your phone, because it could go on collecting personal data for as long as it resides on your phone.

Enterprises should also protect their data and their employees’ privacy by implementing a mobile threat protection solution.

The truth is that malware is rapidly evolving in the mobile space, because mobile phones are a juicy target for hackers. They are usually quite poorly protected, especially compared to personal computers. This is why it is essential for you to practice good app security to protect yourself and your sensitive data from hackers—before they go Super Mario on your personal data.

Domingo Guerra, co-founder and president, Appthority (opens in new tab)
Image Credit: Pixel Fantasy / Flickr

Domingo Guerra, Appthority co-founder and president, specialises in identifying mobile app risks and behaviour trends, and advising enterprises of the risks associated with data leakage by today’s dynamic workforce.