Skip to content

Guarding Our Digital Playground: Time to Rethink App Security

photo-1584433144859-1fc3ab64a957

Even Steve Jobs could not see the potential of third-party mobile apps: those little software programs that turned our mobile phones into smartphones. Jobs had famously argued against such apps, instead advocating for the use of mobile web pages that could be accessed using iPhone’s Safari browser. It reportedly wasn’t until users began jail-breaking and creating third-party apps anyway — literally reinventing the iPhone — that he came around to the idea and launched the official Apple App Store in 2008.

Fast forward to 2016, and today across Apple, Google, Microsoft, Amazon and Blackberry’s app marketplaces there are more than 3 million mobile apps, which have been downloaded billions of times by users all over the world. Apps have been developed for everything from turning a phone’s camera flash into a flashlight to controlling household thermostats and baby monitors. There are even apps for flying drones, and one day we will likely use an app to drive our cars.
Not surprisingly, apps are among the primary reasons people buy phones. Having an app store with many third-party apps is vital for the success of a platform, as Microsoft and Amazon‘s struggle for mobile market share has shown us. And a single app can dictate the very existence of an OS, as Facebook’s recent decision to stop supporting BlackBerry’s OS will most likely show.
 
But there are downsides to apps that most of us seldom consider. For one, apps collect an unprecedented amount of user information, often much more data than the app requires or the user knowingly authorizes. For instance, the Facebook app, besides tracking personal information, also collates the search terms we enter and the locations from where we connect. Many apps share this information with search engines and third party advertisers, which is the reason many of us see those online advertisements that appear to follow us on online, presenting things for sale based on search terms we entered on another website.
Another issue is that many mobile apps are developed by amateur programmers, who are not always knowledgeable about information security. Often, these apps leak sensitive user information to other platforms, or worse yet, willfully steal information. Some other apps, including one in three major banking apps recently tested, continue to be just poorly designed and transmit user information to external servers using unencrypted formats that make it easy for hackers to steal this information during transit.
 
In addition, most mobile apps are designed to accommodate cellular data caps and optimize limited smartphone screen sizes. To achieve this, app designers focus on presenting only the information they deem necessary, often stripping out information that is valuable from an information security standpoint. For instance, most mobile email apps do not display the email’s message header — a critical source of information about the mail servers and protocols used to route the email, which could reveal whether it is a phishing email. Likewise, mobile browsers often conceal the complete URL of web pages to make viewing easier, while many mobile apps just don’t display security indicators — such as the SSL padlock symbol — that signals that a transaction is encrypted and secure.photo-1614064643392-8dd713152ae9
 
Unfortunately, most users are unaware of these issues, and those who are aware have limited options other than not downloading apps. Fixing these requires the owners of the mobile platforms — Apple, Google, Amazon, Microsoft — who directly benefit by selling phones, advertisements and products to users, to proactively influence the designers of apps. It’s the app stores that then hold the key to securing our privacy, because with great apps also comes greater responsibility toward all of us.
 
How can we make this happen?
 
First, app designers must become more security conscious in their design. App stores can foster this by creating design standards and mandating privacy disclosures. A step in that direction would be to require all apps to display exactly what user information they collect as well as who they share it with. Just like most phones today have a battery app that reveals how much power different apps are draining, mobile platforms could also develop a privacy tool that displays what data individual apps are mining and flags apps that are, without authorization, porting sensitive user information.
Second, with apps being developed for everything from remotely starting our cars to soon driving them, why not also create a system for app security testing similar to the 5-star rating system we use to test the crash protections of new cars. Just like the Insurance Institute for Highway Safety does automobile crash testing, an independent cybersecurity organization could take on the responsibility of testing and rating the security of apps as well as the gadgets they control. Alternatively, app stores could develop such a rating system by using beta-testers who collectively rate each app and provide star security ratings that are then displayed in the stores.
It goes without saying that without app stores there would be none of those great apps we all love. And without us purchasing apps and phones, there would be no app store. So ultimately, consumers hold the power to influence app and gadget designs. We can do this by downloading secure browsers and choosing to use mobile websites instead of leaky apps, by using anti-malware protections and virtual private networks that encrypt mobile data, and by using privacy apps that reveal how much of our personal information each app is using, sharing and porting.
 
Just like the first wave of jail-broken phones led to the App Store, we can influence the design of apps so they focus on protecting us.
We can and we must. After all, this is our personal information they are monetizing.
 
 

*A version of this post appeared under the title Time to rethink apps security on CNN: https://www.cnn.com/2016/04/01/opinions/problem-app-security-vishwanath/index.html