Are your smartphone apps a cybersecurity hazard?

Apps have become an essential component of everyday life. In addition to software like WhatsApp and FaceTime replacing the phone’s traditional text and call capabilities, you can use apps to manage money, navigate around town, learn a language, check the weather, and so much more. Life without them would mean less convenience in a number of respects, but would you sacrifice this for security?

According to the Royal Society of Arts, Manufactures and Commerce (RSA), over 60% of online fraud is committed through mobile phones, with 80% of this crime coming from apps. And, unfortunately, there are thousands of dangerous ones in existence—Symantec products blocked over 10,500 malicious apps every day in 2018.

In order to protect your phone against cybercrime, it’s vital you learn why apps can be so hazardous and how to reduce the risk.

Risky app permissions

Once you download an app, there are certain default permissions the apps gain access to in order to function properly, while you will have to permit the rest. For example, Instagram requires your camera to take and upload pictures while Google Maps needs your location to provide directions. Though this streamlined approach is certainly convenient, these permissions may let apps see and even manipulate your data. Sometimes the permissions requested are not actually necessary for the app to work, though, of course, providing intimate access is always risky.

Mobile security specialists Wandera conducted an examination of iOS app permissions and found that out of 30,000 unique apps, 62% ask for access to the phone’s photo library—the most commonly requested permission. This is potentially dangerous if you have images of sensitive information, like financial details or corporate data, stored on your mobile. What’s more, this is only one of the “high risk” permissions Wandera has identified. They also revealed that 23% of apps want access to the microphone—giving such apps the power to listen to and possibly even record conversations—16% connect to your contacts and 3% ask to share and update your health stats. A recent example of this is the La Liga match-following app, which reportedly enabled to league to remotely activate a mobile’s microphone to see whether the owner was in a bar showing football matches illegally. While in 2018, the New York Times revealed an iOS weather app was misusing location data to track user movements before transferring this information to companies to aid their targeting advertising strategy.

This isn’t a problem exclusive to iOS, either. An earlier paper published by Wandera exposed similar vulnerabilities in Android apps. A huge 68% of apps ask for permission to access and alter a device’s SIM card, while 33% want to “read phone status”—in other words, access its internal features. This gives the app the ability to identify the phone number or a caller’s phone number, and whether or not a call is taking place.

Malicious apps

Downloading an app from a credible distributor like the Google Play Store or Apple’s App Store doesn’t make it safe. Unfortunately, it’s common for malware to be repurposed as a well-known app in order to gain a user’s trust and trick them into downloading it. Back in July 2019, for example, it emerged that a WhatsApp imitation had been downloaded over a million times from the Play Store. To make matters worse, there are also many apps that aren’t intentionally malicious but can still be incredibly harmful. Poor development can often leave gaps and security vulnerabilities in an app’s code, allowing malware to be implanted and eventually infecting a device once it’s downloaded. As of October 2019, Google has found 172 harmful apps on the Play Store, which have been installed over 335 million times.

There are further problems if you download apps from unaccredited sources, which are also known as sideloaded apps. Third-party party platforms are less likely to scrutinise the content they list, making it more probable that you’ll end up with a potentially dangerous app. Though most devices will automatically prevent the installation of sideloaded apps, users often have to do little more than change their settings to allow this. Otherwise, this can be done by rooting a phone, giving a user greater control over the operating system and allowing permissions to be altered.

Wherever you download it from, a malicious app could do anything from extract personal data, send contact lists and locational details to third parties, or even record your phone conversations. As such, your apps may be a bigger cybersecurity threat than you first thought.

How to protect your device

As apps are such a prevalent part of modern digital culture, it’s unfeasible to recommend you no longer download them. However, these preventative measures should be followed:

  • Read all app permissions thoroughly before you accept them. Fortunately, official app stores are already doing their part to enforce better app permission management. For example, if an app requires your location, it will only have access while you’re actually using the app. This gives users more control over how their data is collected.
  • Check your app permission settings on a regular basis and turn off any access that isn’t required for an app to function. Does a shopping app really need to read your calendar?
  • Only install apps you know you’ll use—and remove any that you don’t—to reduce your attack surface. This is the sum of vulnerabilities cybercriminals may be able to exploit to access your data.
  • Examine all app reviews, looking out for red flags before pursuing an installation.
  • Ensure your operating system is up to date so the most current security measures are active.

Install anti-virus software on your phone to identify and fight against malicious apps.