Smartphones (iPhone, Android, Blackberry, Windows Mobile, Symbian) and many feature phones allow you to download and install mobile applications (“apps”). Apps do many useful things. However, some apps (and other types of software, such as your mobile operating system) can also present security risks. These include:
Apps and other software may have access to information stored on or generated by your phone.
Apps and other software may have the ability to transmit this information using your phone’s Internet connection.
Your text messages, emails and web traffic may be monitored and logged.
Data stored on your phone (contacts, calendar entries, photos and video) may be accessed or copied.
Passwords stored or entered on your phone may be stolen and used to access your online accounts.
With smartphones gaining market share, malicious apps are beginning to pose a serious threat. In an article titled “Your Apps Are Watching You”, the Wall Street Journal tested popular iPhone and Android apps, and found that of 101 apps tested, 56 transmitted a unique identifier for the phone without informing the user or asking for consent. 47 apps also transmitted the phone’s location, while 5 sent age, gender or other personal details to various companies. The App Genome Project reports that 28% of all apps in the Android Market and 34% of all free apps in the Apple App Store have the capability to access location, while 7.5% of Android Market apps and 11% of Apple App Store apps have the capability to access users’ contacts.
It can be very difficult to tell which apps are safe and which are not. App behaviours that might not bother most users, such as transmitting the phone’s location to an advertising server, can be unacceptable to people with higher privacy and security requirements.
This article offers suggestions on how to assess risks to security and privacy posed by apps.
1. What features of your phone are available to apps?
One of the functions of your phone’s operating system is to enforce security rules (also called a “security model”). Security rules regulate what phone features an app can access. For example, only apps that have been designated as ‘trusted’ may be granted permission to connect to the internet and download or upload data without notifying the user.Other apps may be forced to ask the user for permission before connecting to the internet, or may be disall owed altogether.
Security rules sometimes depend on whether the developer of the app is identifiable – for example, has the developer of the app registered with a developer programme and paid a registration fee with a credit card.
Different phone operating systems have different ways of enforcing security rules. Here are some examples:
On Android phones, there is no way for an app to be granted permission to use phone features without explicitly requesting such permission from the user. App developers must state in advance all features the app will use (for a full list, see this article). These are shown in the description that you see when you download or install the app. You grant the app the required permissions when you install it – not granting the permissions will cause the installation to fail. Apps can be installed from the Android Market, other app markets such as the recently launched Amazon Marketplace, or directly from an Android package file (.apk).
On the iPhone, all apps downloaded from the App Store are considered trusted, and do not need to request specific permissions from the user to access phone features. Unless the iPhone has been jailbroken, apps cannot be installed from sources other than the app store. Although the App Store has an approval process, it does not examine source code, and it is theoretically simple for a malicious feature to be hidden in an app.
On Blackberry, app permissions are determined by three things:
Corporate security policies, which can force the installation of certain apps and disallow installation of others.
Whether the app has been published (“signed”) by a developer registered with RIM’s app certification programme. If it has not, you may see a warning when you install.
Whether the user has decided to grant ‘trusted’ status to the app
If an app has been granted ‘trusted’ status by the user, it can access most features of the phone, including network connections, SMS and location, without requesting further permission. Signed apps can access some additional features(cryptography, identifying information such as the phone and SIM card numbers).
On Java phones – features phones such as Nokia series 40 and series 60 – apps are placed in one of three security categories:
Trusted apps are apps developed by your phone manufacturer or mobile network operator. These are usually installed when you get the phone. Apps in this category do not need to ask you for permission to access phone features.
Identified third party apps are apps that have been published (“signed”) by a developer who has verified their identify with a certificate authority such as Verisign, and paid around $200 for a certificate. These apps must request permission to access device features, but after installing the user may be able to set access permission to ‘ask once’ or ‘always allow’.
Unidentified third party apps are not signed with a certificate, and must ask permission every time they need to access device features.
Of these four operating systems, Android provides the most information to the user about app permissions, and forces all apps on the device to provide this information. The iPhone approach provides very little information to the user, relying instead on the app store approval process to weed out potentially dangerous apps. Blackberry and Java phones offer a privileged position of trust to apps from operators and phone manufacturers (or apps required by corporate policy) but provide some information about, and user control over, permissions for other apps.
2. What phone features should this app need to use? Does this match the permissions it requests?
On Android phones, you’ll be told at install time which permissions an app is requesting – for example, permission to access your location or use your phones’s network connection. Java phones prompt you to grant permissions as they are needed by the app, while Blackberrys allow you to set permissions individually at install time, or all together by granting trusted app status.
Regardless of how permissions are set, you should pay close attention to which features of your phone an app requests permission to access. A location-based social network like FourSquare clearly needs to access your location, but most games should not. Similarly, be wary of apps that require permission to access network connections without any obvious reason.
Of course, it is also possible for an app to request a permission for a seemingly legitimate purpose – network access for a chat application, for example – but then use that permission in an undesirable way. This possibility should always be weighed when deciding whether to install an app.
Why might certain permissions be a problem? Consider these examples of the dangers of malicious apps
Depending on your phone, you may be able to deny certain permissions while still installing the app. If this is not possible, either don’t install at all, or seek clarification from the app’s developers or user community about why a particular permission being requested.
3. Who is the developer?
Although by no means guaranteed, knowing which individuals/groups developed an app can give you a sense of how risky it is. Well-known developers who have published many apps, or published very popular apps, have more to lose if security flaws are exposed. This can also be true for first-time or small-time app developers who are well-known in a particular community. Do some online research before installing an app. For example, try searching for
The name of the developer and their website. Do they look legitimate?
Any blog posts, forum posts or news stories mentioning the app, or other apps by the same developer – are reviews generally favourable? Do any mention security concerns?
Be prepared to look for alternatives if you are concerned about the developers’ reputation or technical competence.
4. Who are the users?
In a similar vein, the users of an app can be a good indicator of risk. This doesn’t necessarily mean you should trust apps that have large numbers of users. Even if everyone you know is using an app, everyone you know may not have the same level of security awareness as you, or the same security needs. See if you can triangulate recommendations by reading several reviews of the same app, or asking several people independently what they thing of it. If the app has a user forum, try asking about security issues. For example, if you can’t find the information online or in the app’s description, ask about the following:
The permissions the app requests. What are they, and why are they necessary?
If data is transmitted to the developer or to advertising servers, what is sent? Can this be disabled?
How data is stored on the phone and, if applicable, by the company providing an online service in conjunction with the app.
How to contact the developer to raise security concerns.
A good, detailed, well-supported response from several community members can make you more confident in your choice. Conversely, if the user community does not seem particularly concerned about security and privacy, it’s more likely that problems will go undetected.
5. Is the code publicly available?
For proponents of open source software, openness – specifically, source code that is publicly available for review – is a non-negotiable security requirement. If everyone is able to review the code, the thinking goes, it is much harder to hide malicious features in software. Security issues are also more likely to be resolved quickly if everyone is able to submit code to fix a problem.
In practice, it is the former rather than the latter that is most important for mobile apps. Apps have the added advantage of being relatively self-contained (compared to, say, an entire operating system) and less code means it’s easier to spot potential issues. If the source code for an app you want to use is publicly available and you are not able to review the code yourself, you might want to consider asking a trusted technical contact to do this for you. For many popular apps, a web search of the app name and words like “security” and “privacy” may also give you a sense of potential issues.
6. Is your data being stored and transmitted securely?
Even well-intentioned mobile apps can present a security risk if they do not store and transmit your data securely. This is extremely important if you are planning to use the app for sensitive communications. Because of the technical complexity involved in evaluating an app’s security measures, you may wish to look for reviews on the web, ask the developers and/or user community, or enlist an expert to review the app’s source code (assuming it is publicly available!). SaferMobile will also be reviewing a number of popular apps.
Here are some examples of things you should look for, or ask about:
Does the app store sensitive data (such as passwords, contact details or sensitive messages) in an encrypted file? What kind of encryption is used, and how easy is it to break?
Does the app communicate over HTTPS, or another secure protocol? HTTPS is the secure version of the Hypertext Transfer Protocol (HTTP).
With any mobile app, it is important to weigh up the benefit of the app with the potential risks that come from installing and using it. For some secure communications scenarios, you may want to use a basic phone rather than one that can run apps – not least because you may need to discard it after use in order to remain anonymous. In all cases, it pays to be wary. Installing an app might be a one-click process, but a comprehensive security plan requires that you take a little more time to assess the risks.