The Hidden Privacy and Security Risks of Apps

Posted by Mark Greisiger

A Q&A with Kevin Lam of LOCKBOX LLC
Businesses in all sectors are increasingly employing mobile apps to improve market services and stay connected with customers. However, apps can share or leak private customer information, often unbeknownst to the organizations that offer them. A recent news story about the California Attorney General slapping app developers with fines for noncompliance of privacy laws underscores the risks to both third party app developers and businesses that deploy apps in violation of consumer privacy rights. To address this risk exposure, I spoke with Kevin Lam of LOCKBOX LLC (he can be reached at kevinlam@golockbox.com).

What are some of the essential data security issues around apps, and how are they violating the privacy rights of users?
Mobile apps are storing more and more sensitive data. Today, you can use your phone to make purchases on go—which require things like credit card numbers, passwords and other sensitive information. Most apps don’t clearly indicate what they do and don’t store. And many apps don’t have sufficient security controls to begin with to protect the sensitive data that they are storing. That risk is further compounded by the fact that people are constantly losing their mobile devices and the sensitive data on them. Then there are privacy issues: A recent report (http://redtape.nbcnews.com/_news/2013/01/15/16530607-a-shock-in-the-dark-flashlight-app-tracks-your-location?lite&ocid=msnhp&pos=7) found that many mobile apps were tracking information about the user without their knowledge and for no apparent use. For instance, the report highlighted the fact that a flashlight app was actually tracking user’s location and device IDs. What was that information being used for, why is it being collected, and how is it protected? Typically, you will find out after a data breach that the information was indeed not protected.

How can bad guys (hackers) exploit an app?
There are many ways that hackers can exploit apps. Hackers can extract sensitive data from apps by attacking the underlying storage device or external memory cards. They can attack the app directly and exploit some coding vulnerability that developers overlooked. Jail-broken phones, or phones that have certain controls placed by vendors like AT&T removed, leave backdoors into the device that make attacking apps and devices trivial. Then there’s the plain old shoulder surfing attack. If someone is entering their password in a public area, anyone is able to watch them punch in pin numbers to access the app. So the risks run the gamut from low-tech all the way to sophisticated programmatic exploits. Web-based attacks are especially problematic on mobile apps and devices. One of the most common attacks we see are phishing attacks. This is an attack where a hacker tries to trick a user into providing their credentials to what appears to be a legitimate website. On a desktop browser users can simply inspect the site URL and if they don’t recognize it they close the browser and the attack fails. On a mobile app or device, however, the screen is much smaller and inspecting the URL can be difficult, making phishing attacks more likely to succeed. Attacks on apps and data breaches from them are happening right now. Users or businesses just don’t realize it. Some do, but often after it’s too late.

What can a developer or business do to proactively ensure they are deploying safer apps?
Get training on how to develop secure mobile applications and best practices. But beware: There is a lot of training available that will show you how hackers attack apps, but will fall short in terms of providing pragmatic guidance on how to protect apps, which is what you really want. The best courses I’ve seen, and I’ve reviewed many, are the eLearning courses from Security Innovation Inc. (www.securityinnovation.com). They do the best job at helping developers understand the risk and how to build sustainable secure application development skills. Next, developers should start adopting common application security best practices and tools into their development lifecycle for apps. Many of the general security best practices and tools for desktop and server applications translate directly to mobile app development. And many of those tools are free to use, so there’s no reason not to use them. Finally, developers should realize that security is not just something you bolt or add-on. It’s the balance of technology, process and people, and security should be designed into the application from the beginning, rather than after the app has been compromised.

What are some myths about mobile app security?
The most common myth is that apps downloaded from app stores are safe. Vendors like Apple, Google and Microsoft check that apps they list follow certain programming and user interface style guidelines. They don’t perform the in-depth analysis needed to determine the security of the app. When you download and use an app, make sure you can trust the source. Another myth is that apps for non-Microsoft platforms like Apple’s iOS and Google Android are secure. This couldn’t be further from the truth—in fact, hackers are counting on this myth. Code is code and it can be attacked whether it’s on an Apple- or Google-developed platform. Finally, the last myth is that texting is secure and private. Many celebrities, politicians and other public figures have found this out the hard way through public embarrassment and ruined careers. People, however, continue to use texting to send highly private and sensitive data without realizing the risk they are exposing themselves to.

In conclusion …
We’re seeing businesses seek more direct access to individuals via their smart phone devices. They may rush to market with an app that collects PII for marketing or commerce purposes (see Risks). Very often, these companies fail to have the app properly inspected prior to public release, thus exposing both the consumer and the company to additional risk. Recent news reports underscore this reality.