Trust the Doc, but Trust the App?

Posted December 11, 2013

During our recent webcast, Six Types of Rogue Mobile Apps and How They’re Hurting Your Brand, we discussed an example of a flaw that Bluebox Security discovered in Google’s Android operating system. This vulnerability allowed bad actors to add malware or modify a legitimate app without changing its digital signature, which made it virtually impossible to distinguish good apps from bad ones.

Within a few weeks of Bluebox Security announcing the discovery of this flaw, security researchers at Symantec found a rogue app on a third-party storefront in China that took advantage of it. The app appeared to be the same as a legitimate app that was designed to help patients schedule doctor appointments. The app requested information like age, date of birth, address, weight, blood type, and ailment, making the possibilities of what cyber criminals could do with this information endless.

However, an app does not necessarily need to contain malware or security vulnerabilities to be a threat to confidential information. In fact, it may not even be a rogue app. Apps with poor privacy practices may intentionally or inadvertently share the same amount of  information as the malicious app described above.

For example, Appthority analyzed the iPharmacy app and discovered it was leaking private medical information online. This app was created to help patients identify pills and find the lowest price for prescription drugs. However, the app failed to encrypt users’ personal information sent over the network. Analysis also indicated the app sent users’ personal information to advertisers, including phone numbers, IMEI numbers, GPS location, current apps on the users’ devices, wireless carrier information, device model, and stored Wi-Fi access points.

Before downloading a mobile app that requires you to submit sensitive information, consider the following precautionary measures:

• Make sure you are downloading the app from a legitimate storefront, such as GooglePlay or iTunes. If the company has a link to the app on its official website, follow that link rather than searching for the company name in an app store.
• Never assume an app is keeping your information private. Think twice before entering in confidential information. Ask yourself, “Does this photo sharing app really need my birth date, name, age, and address?”
• Pay for the app instead of downloading the free version. Free apps tend to be more profitable  with paid advertising, and ads target users based on the personal information entered upon downloading.
• Check the privacy policy to see whether information is sent encrypted.
• Negate permissions that are unnecessary. For example, disable your geo-tagging feature.

Users can easily be mislead into thinking a rogue app is a legitimate app. Organizations that have legitimate mobile apps should take precautions to safeguard their apps from going rogue and from potentially leaking user information. Companies should use an automated monitoring service to ensure the legitimate app is not placed on a third party storefront, where it could become hacked. A monitoring service can also ensure that expired apps are removed and taken out of marketplaces so that bad actors looking for apps to infiltrate or otherwise.