Neglecting App Security: Why You Need to Take Action Now

App security describes security measures at the application level to prevent data or code within the app from being stolen or hijacked. It encompasses the security considerations during application development and design but also involves systems and approaches to protect apps after deployment. 

App security may include hardware, software, and procedures identifying or minimizing security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address from the Internet is a form of hardware application security.

But security measures at the application level are also typically built into the software, such as an application firewall that strictly defines what activities are allowed and prohibited. Procedures can entail an application security routine that includes protocols such as regular testing. 

Pay attention to device protection.

Even if only you have access to your device, various parties come into play in day-to-day use to whom you open up your data treasures: You not only have to trust the device manufacturer but also the publishers and programmers of the apps.

The third party is the operator of the network through which data is exchanged. You must also trust him before you download apps and save or send data. If you trust everyone involved, working with apps and personal data is only recommended.

Many security settings for mobile devices can be set in apps, but there are also many settings that we can set on the devices themselves. In the following, practical tips on what to consider when backing up devices, how to restore the data stored on the devices in the event of an emergency and explain the best way to encrypt your devices.

App Security Tips

installation

• Only install the apps you need. Each additional app initially represents an additional security risk, even if it is a legitimate offer. Virtually every piece of software contains security gaps. With free apps, you can quickly end up with potentially unwanted programs (PUP), such as fake antivirus protection or adware. The questionable purpose of adware is to display advertisements.
• Only install apps from trustworthy sources – such as the manufacturer’s app stores and markets preset in the smartphone.
• Check which functions the app claims rights to. Depending on the operating system, before installing an app, you can see which rights the application will receive after installation. Make sure those apps can only access the smartphone functions that are necessary and plausible for the intended use. So scepticism is appropriate if, for example, an application for saving notes wants to access the SMS function. Here you have to critically check whether you want to accept the permissions because it is necessary to confirm all permissions or not to install the app. For more information on confirming app rights on Android, click here.
• If you are still determining whether the app is trustworthy, a quick search on the Internet usually helps. Here you will be informed promptly if an app contains malware.
• Beware of bargains: popular apps, especially games, are being imitated. The imitators offer the apps cheaper or for free but sometimes build harmful functions into them or lure them with “extra levels” that are subject to a fee.

Update

• Check regularly whether updates for apps and the operating system are available and install them as soon as possible.
• Be careful not only when installing new apps but also when updating them. The publisher can use updatesThe publisher can use updates to provide additional access rights to an app you trust after a certain period of use. Therefore, refrain from automatic app updates and install the updates manually. Depending on the operating system, you then have the option of displaying the rights again.

use

• Watch the status bar on the smartphone screen. The icons tell when an app collects location data or activates wireless interfaces. If, for example, GPS or Bluetooth is active without you having activated or consciously used the interfaces, you should get to the bottom of the cause by checking which apps are currently active (see next point).
• As a logical extension of the first argument that you should only install apps you need and delete apps you no longer use.

App permissions on Android

This digression only refers to Google’s Android operating system for mobile phones. The reason for this is that with other systems, such as Apple’s iOS or Windows, the user cannot confirm or deselect the individual permissions of the apps.

How the Android protection concept works

Applications ( apps ) for the Android operating system run in a protected, closed environment, a so-called sandbox. On the one hand, this sandbox offers internal protection, protecting your app uses data from unauthorized access. On the other hand, the principle includes protection from the outside world.

This prevents the app from accessing other user data or system services. For certain functionalities, such as data exchange and communication, the sandbox is opened to the outside with the help of authorization authorizations (also called permissions ).

Permissions

Android knows about 160 permissions, divided into groups and security levels by Google. The groups are used to sort the permissions, and they say nothing about security. Groups are, for example:

• Paid Services
• Allow applications to perform actions that may require payment.
• Your messages
• Read and write text messages, emails and other messages.
• Your personal information
• Direct access to your phone’s contacts and calendar.

The security levels are important because they make a statement about the criticality of the authorization.

Google differentiates between the following four levels: 1. normal; 2. dangerous ; 3. signature; _ 4. signature system.

For you, “normal” and “dangerous” are relevant because the associated permissions must be confirmed when installing an app. Of the permissions defined in Android, 60 have the security level “dangerous “.

At the ” dangerous ” security level, the corresponding function is potentially misused with the respective authorization. Internet criminals could thus compromise your device and spy on private data, for example.

Below are two examples of permissions (source: texts taken from Android ):

EXAMPLE: SECURITY LEVEL: DANGEROUS Authorization:

Call phone numbers directly.

Description: Allows applications to dial phone numbers without your intervention. Malicious applications can be responsible for unexpected calls on your phone bill. However, the emergency number dialling is not possible.

Group: Paid Services

EXAMPLE: SECURITY LEVEL: NORMAL Authorization:

View network status

Description: Allows an app to view the status of all networks.

Group: network communication

Selection of critical permissions

(Source: original descriptions from Android )

The following examples show the different areas in which the apps can request necessary permissions and what risks arise.

Paid Services

Send short messages: Allows the app to send SMS. Malicious applications may incur charges if they send messages without your consent.

Your personal information

• Read contact data:
  • Allows an app to read all contact data (addresses) stored on your phone. Malicious apps can use this to send your data to other people.
• Read on social streams.
  • This permission allows the app to access and sync social updates from you and your friends. Malicious apps can use this permission to read private social media communications between you and your friends.
• Read calendar appointments and confidential information.
  • Allows an app to read all calendar events stored on your phone, including those of friends or co-workers. Malicious apps with this permission can extract personal information from these calendars without the owners’ knowledge.
• Precise ( GPS ) location
  • Access precise location sources such as GPS on the phone (if available). Malicious apps can use it to determine where you are and add extra drain on your battery.
  • network communication, unlimited internet access
    • Allows an app to set up network sockets.
• hardware controls
• Take pictures and videos.
  • Allows the app to take photos and videos with the camera. This allows the app to capture images from the camera’s field of view anytime.

App installation

In the various app stores, the permissions required by an app are listed with a description, sorted by group. The permissions with the security level “dangerous” will be shown to you in full, while your security level permissions “normal” must also be opened by clicking on “Show all”.

All “dangerous” permissions are listed when the app is installed; you must also open the “normal” permissions.

When you install a new app, you must confirm the permissions the app is requesting. “All or none” applies here. A differentiated approval of the app permissions is not possible. This often results in the requested authorization authorizations being confirmed without the potential threats being known.

Security Recommendations

The same security recommendations apply to apps on other operating systems. However, more malware and potentially unwanted programs (PUP) for Android and more dubious sources to get apps than for other mobile operating systems.

In addition, individual permissions cannot be deselected without aborting the entire installation. Another note on the rating system that Google relies on as a “safety recommendation”:

• Rating systems:
• Google relies heavily on the rating system as a “safety recommendation”: The more users use an app and rate it positively, the greater the likelihood that the app is legitimate or that harmful content will be discovered. Of course, this criterion is useless.
• For evaluating the security of an app. However, in combination with the other criteria, it can serve as an indicator of the seriousness of an app. However, the BSI is aware of an app sold as antivirus protection for a few euros and received good user reviews. But it could have been more effective.