Have an App for That? You May Have a Security Risk

2017 could easily be called “The Year of the App.” There seems to be an app for virtually anything. Hungry? Order food to be delivered or make a restaurant reservation. Muscles sore? Book a massage. Lonely? Swipe right. Need some item or some cash? The Mastercard Nearby mobile app helps you quickly find places to use your card or get access to your funds using your Mastercard® or Maestro® debit, credit, or prepaid card or mobile wallet.

Pretty much anything you could possibly want is available to you via an app on your phone. So, the question is as a user of apps, what security and other risks do you need to be aware of?

Free Isn’t Truly Free

 You know that saying “There’s no such thing as a free lunch?” Well, if an app is free, the developer is expecting to be paid in another way.

Dragos Alexa is the CEO of Appbracadabra, an app development firm. Alexa cautions, “If a user has a concern about his/her private data, then at some point they need to stop using “free” apps. Nothing is free – either you pay with money and receive the benefit of privacy, or you pay with your data in some way. It sounds cold, and it is, but this is the reality.”

Gated Access

A good rule of thumb is to only download apps from reputable sources. Before an app is added to the Apple Store or Google Play, it is vetted by the company behind the store.

However, this process isn’t an absolute guarantee, and there may be an occasional bad app, but you have a much better expectation of protection and a good user experience when you download from reputable sites.

Stranger at the Door

 You may have noticed that when you download an app, it will frequently ask for permission to access information – or even modify information – from one of your social media accounts (Facebook, Twitter, Google, etc.).

Dusty Burwell, a software engineer at Stripe, an online payments platform, warns that users should absolutely be aware of what they’re signing away when they use their social media accounts to sign into apps.

Burwell says, “Luckily, when an app uses social media logins in this way, systems like Facebook display exactly what the app is getting access to. Well-behaved apps might only want your email address to verify that you are who you say you are. But a malicious developer seeking to do harm can extract a lot of information about you if you give them access.”

So, you know that legal text you never read but check the box anyway? Next time, you might want to actually read it and know what you are signing away.

In fact, generic Terms and Conditions should be a warning sign for a user, says Alexa, “The legal Terms and Conditions, User Privacy, etc. need to be bulletproof. This is the first indicator that the app is true to its users. If you find ‘Google searched’ legal material then good luck with your privacy.”

Bad Intentions

As mobile apps become more popular, they are more frequently being targeted by malware creators.

In late 2016, there were several rogue apps “impersonating well-known retailers and stealing consumers’ personal information,” according to this article on

Burwell described the process for how app malware can wreak havoc. He shared, “There was a Gmail-based phishing attack that convinced users to give the app access to their contact list and permission to send email on their behalf. The app proceeded to email everyone in their contact list to spread the infection like a worm. While having the vector of a phishing scheme and the spread of a worm, this type of attack is new and something all its own.”

Developers Need To Beware

There are some specific ethical rules that developers of apps should follow. Burwell says developers in the security field have a concept called “the principle of least privilege.” He says, “The idea is that a system should operate with the lowest level of privilege, or access, as it needs to in order to get the job done. This is all about limiting the risk of exposure should a flaw present itself in an otherwise mundane piece of software.”

Vikas Bhatia, Founder & CEO of JustProtect, echoes this and adds that sometimes it makes sense to bring in a pro to ensure that an app does not pose a security risk.

Bhatia says, “While end users should be cautious, developers have a responsibility to beware regulatory and/or personal/business implications in the event of accidental/malicious disclosure. A security/risk professional will be able to identify and prioritize the appropriate level of disclosure and/or protection, which can be determined during development.”

As you can see, there are actions that both app users and app developers can take to try to ensure a safe experience. Yes, there will always be some people trying to make trouble, but you can save yourself some big headaches if you follow this expert advice.

Carol Roth
Carol Roth
Carol Roth makes people think, makes them laugh and makes them money. She is a national media personality (currently an on-air contributor for CNBC), 'recovering' investment banker, entrepreneur, investor, speaker and New York Times bestselling author of “The Entrepreneur Equation.” As a deal-maker, Carol has helped clients complete more than $2 billion in transactions, including capital raising, M&A, licensing and partnership deals, plus create 7-figure brand loyalty programs. Carol acts as a brand spokesperson and advisor for a variety of companies, is a huge professional sports fan and has an action figure made in her own likeness.

See all posts by Carol Roth
  • All views expressed on the published articles at are those of each of the authors, and do not in any way represent the opinions of Mastercard International Incorporated or any of its affiliates (“Mastercard”). Mastercard is not responsible of the information contained in these articles.