Have an App for That? You May Have a Security Risk

2017 could easily be called “The Year of the App.” There seems to be an app for virtually anything. Hungry? Order food to be delivered or make a restaurant reservation. Muscles sore? Book a massage. Lonely? Swipe right. Need some item or some cash? The Mastercard Nearby mobile app helps you quickly find places to use your card or get access to your funds using your Mastercard® or Maestro® debit, credit, or prepaid card or mobile wallet.

Pretty much anything you could possibly want is available to you via an app on your phone. So, the question is as a user of apps, what security and other risks do you need to be aware of?

Free Isn’t Truly Free

 You know that saying “There’s no such thing as a free lunch?” Well, if an app is free, the developer is expecting to be paid in another way.

Dragos Alexa is the CEO of Appbracadabra, an app development firm. Alexa cautions, “If a user has a concern about his/her private data, then at some point they need to stop using “free” apps. Nothing is free – either you pay with money and receive the benefit of privacy, or you pay with your data in some way. It sounds cold, and it is, but this is the reality.”

Gated Access

A good rule of thumb is to only download apps from reputable sources. Before an app is added to the Apple Store or Google Play, it is vetted by the company behind the store.

However, this process isn’t an absolute guarantee, and there may be an occasional bad app, but you have a much better expectation of protection and a good user experience when you download from reputable sites.

Stranger at the Door

 You may have noticed that when you download an app, it will frequently ask for permission to access information – or even modify information – from one of your social media accounts (Facebook, Twitter, Google, etc.).

Dusty Burwell, a software engineer at Stripe, an online payments platform, warns that users should absolutely be aware of what they’re signing away when they use their social media accounts to sign into apps.

Burwell says, “Luckily, when an app uses social media logins in this way, systems like Facebook display exactly what the app is getting access to. Well-behaved apps might only want your email address to verify that you are who you say you are. But a malicious developer seeking to do harm can extract a lot of information about you if you give them access.”

So, you know that legal text you never read but check the box anyway? Next time, you might want to actually read it and know what you are signing away.

In fact, generic Terms and Conditions should be a warning sign for a user, says Alexa, “The legal Terms and Conditions, User Privacy, etc. need to be bulletproof. This is the first indicator that the app is true to its users. If you find ‘Google searched’ legal material then good luck with your privacy.”

Bad Intentions

As mobile apps become more popular, they are more frequently being targeted by malware creators.

In late 2016, there were several rogue apps “impersonating well-known retailers and stealing consumers’ personal information,” according to this article on SecurityWeek.com.

Burwell described the process for how app malware can wreak havoc. He shared, “There was a Gmail-based phishing attack that convinced users to give the app access to their contact list and permission to send email on their behalf. The app proceeded to email everyone in their contact list to spread the infection like a worm. While having the vector of a phishing scheme and the spread of a worm, this type of attack is new and something all its own.”

Developers Need To Beware

There are some specific ethical rules that developers of apps should follow. Burwell says developers in the security field have a concept called “the principle of least privilege.” He says, “The idea is that a system should operate with the lowest level of privilege, or access, as it needs to in order to get the job done. This is all about limiting the risk of exposure should a flaw present itself in an otherwise mundane piece of software.”

Vikas Bhatia, Founder & CEO of JustProtect, echoes this and adds that sometimes it makes sense to bring in a pro to ensure that an app does not pose a security risk.

Bhatia says, “While end users should be cautious, developers have a responsibility to beware regulatory and/or personal/business implications in the event of accidental/malicious disclosure. A security/risk professional will be able to identify and prioritize the appropriate level of disclosure and/or protection, which can be determined during development.”

As you can see, there are actions that both app users and app developers can take to try to ensure a safe experience. Yes, there will always be some people trying to make trouble, but you can save yourself some big headaches if you follow this expert advice.

Ajeet Khurana
Ajeet Khurana
Ajeet Khurana wears many hats: author, angel investor, mentor, TEDx speaker, steering committee of the NASSCOM Start-Up Warehouse, Director of Founder Institute, Venture Partner with the seed initiative of a top Venture Capital firm, and former CEO of IIT Bombay’s business incubator, among others. Before all this, he was entrepreneurial twice in the field of education and web publishing. As a lecturer at the University of Texas at Austin, he taught e-commerce back in 1993, when the term "e-commerce" had not yet been coined. An undergrad in computer engineering from the University of Mumbai, and an MBA from the University of Texas, Ajeet is presently an active name in the startup ecosystem. From starting two ventures as a solopreneur, to helping a large number of startups with their go-to-market, he has never shied from getting his hands dirty. At the same time he has helped dozens of startups raise investment. He truly believes that small business owners are driving change in the world, and need to be facilitated as much as possible. Innumerable small businesses have gained from his attitude, vast professional networks, financial acumen and digital mindset.

See all posts by Ajeet Khurana
  • All views expressed on the published articles at https://www.mastercardbiz.com are those of each of the authors, and do not in any way represent the opinions of Mastercard International Incorporated or any of its affiliates (“Mastercard”). Mastercard is not responsible of the information contained in these articles.