Mobile apps are fun, useful and often cheap or free, but are they safe? Recently, information about the types of mobile app security threats we can encounter from mobile apps was released in the “Websense® 2013 Threat Report” which stated that “mobile apps can no longer be trusted – not without careful scrutiny of their behavior.” The majority of mobile app users will not understand the complexities of how a downloaded app works, much less being able to give them a security assessment. So as you seek to fill your phone with new apps for entertainment or to make your life easier, how do you protect yourself? Here are a few tips every mobile user can follow before installing an app to improve personal security.
Vet Your Mobile Application
Verify that the name of the application you are searching for is spelled correctly and also try searching the web for information about who created the mobile app to avoid downloading malware instead of the legitimate app. Hackers sometimes create spoofed apps (fake versions) to trick people into installing harmful malware.
There are three different types of hackers: Black Hat, Gray Hat and White Hat. Black Hat hackers, the most dangerous of the three, use or program malware (also known as malicious software) to disrupt computer operations, gain access to private computer systems, or gather sensitive information. The malware can appear in the form of code, scripts, active content, or other software. Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, etc.
In Russia, one of the latest trends to spread Malware throughout the Android population is the use of libraries as alternative distribution channels for malware campaigns. They use a product called “BadNews” which is designed to look like an advertising library in legitimate Android applications, but once the user selects the library, they are linked directly to SMS fraud malware hosted by some of the most intelligent Malware HQ Organizations. These Malware HQ Organizations are also creating “Easy-Bake” templates for the affiliates to customize, as well as pre-packaged templates used to spread Malware to Androids, many times portraying apps such as Google Play, Adobe Flash, Skype, Bad Piggies (game), etc. To avoid becoming a victim, be diligent and look at all the details of the new app before installing. Take an extra step to be certain you are downloading the legitimate app.
Check the Permissions of Your Application
Another precaution to take is to check the permissions that the mobile app is requesting from your mobile device. Both iOS and Android have specific stores/libraries to search and download various apps; some are free and others require a fee. According to mobiledevice.com, the App Store approval process takes anywhere between 1-4 weeks, sometimes longer. Although Apple’s review process is intense and eliminates almost all of the bad apps, it is still possible for an app that contains malware to slip through the cracks.
However, when it comes to Android, there is no set approval process for apps in the Google Play or the Android Store. In order to protect their mobile devices, Android users should always review the permissions of the mobile app before installing. Any app you download will display a pop-up window with “App Permissions” after the user selects the “Install” option. This window summarizes all the permissions the app is requesting access to within your mobile device system settings, such as storage access, system tools, network communication, your location, etc. If the user selects the “see all” option, they will see the complete list of requested permissions that the app needs access to. Once the user chooses to “accept” the terms displayed, the app will begin downloading. Below, I have identified a few key permissions to be wary of when vetting the new app:
- Most legitimate apps don’t require “SEND_SMS”, “RECEIVE_SMS”, “READ_SMS” or “WRITE_SMS” but 82% of malicious apps do.
- 1 in 8 malicious apps required “RECEIVE_WAP_PUSH” permissions, which are rarely required.
- 1 in 10 malicious apps requests to “INSTALL_PACKAGES” or allows permission to install other apps.
Lastly I recommend that before installing new applications make sure to read some of the written reviews from the users who have downloaded and tested the app.There are star ratings given by the users (usually 0-5 rating system) that show a consensus on how well the app works. Also take into account the amount of times the users downloaded the app, which will give you a general sense pf how safe the app in question is. If the app is new to the market, there is a higher risk to the user because it has not been field tested. On the other hand, if you discover the app has been on the market for a while there is a good chance other users have already tested it and the owner of the app has applied any software fixes needed, ultimately meaning less risk.
As users, we have to stay vigilant in order to avoid becoming a victim. We can only hope that Mobile Device Management and Security companies will work together to limit mobile access to key resources and perform real-time analysis of malicious content.
My final security Mobile Tip: Download two browsers (ex. Firefox, Internet Explorer, etc.) onto your device. I have discovered that when you are using a free app, they usually display an advertisement that, if selected, connects to the internet which increases your risk of accessing malware. If you have 2 browsers (and neither set as the default browser option) you can essentially back out or undo the execution of the ad.