Beware of Mobile Apps which misuse access requirements
An excellent article by Shadma Shaikh in The Economic Times, highlights the dangers of Mobile Apps which misuse access requirements. Excerpts -
As India becomes a mobile app-economy, it is important for users to understand if apps indeed require access to so much of their data and device tools.
Even if .. not paranoid about online security, you ought to be more careful about something else--mobile applications.Apps that read your contact list and your messages--including the ones about your bank transactions and one-time passwords, and access your pictures, screenshots and messenger images.
Permissions by themselves are harmless and even useful to provide users a good mobile experience. But since the list of permissions required is long and doesn't explain its effect, an immediate reaction is to treat it the way you would a `Terms and conditions' agreement--accept without reading the list and move to the next step. Skipping over these permissions could mean handing over your data to an oblivious app developer or unscrupulous data miners.
Many apps ask for a host of permissions to access data and functions they don't require. The key lies in identifying the nature of the app and questioning what seem to be unnecessary requests.
The latest version of Google's Android operating system and Apple's iOS allow users greater flexibility in deciding what permissions to give to apps.
Developers, in the process of making apps more usable, end up asking for access to too many things the apps don't require, says Bryce Boland, chief technology officer, Asia-Pacific, at cyber security firm FireEye. Some well-known brands, too, have poorly coded apps that end up compromising on security, he said.
Yuval Ben Itzhak, former chief technology officer at security software company AVG Technologies, points out that if data leaving a device via an app is unencrypted--not converted into code to prevent unauthorized access--hackers can `look inside' it and get access to passwords, credit card numbers and other personal details.This is most likely to happen on public WiFi hotspots like those at airports, malls or coffee shops.
Apps often have permission to create and save files in various locations on your devices, some of which are retained even after the apps are uninstalled. A game app that you uninstalled could have retained images in your phone gallery. Another app that also has access to your gallery can now access those images.
A lot of this unnecessary access requirement also has to do with how apps are built and monetized. To make money out of apps, companies often integrate third-party libraries that allow these external entities to push ads and other content on their apps.Attackers can leverage poorly written code or third-party libraries to gain access to a user's phone or data
The Indian smartphone market that is dominated by second-hand and low-budget smartphones is more susceptible to mobile security attacks
As consumers, if an app is free, we need to figure how its developers make money. Is it by pushing ads or by providing a premium service upgrade in exchange of money?
Consumers who download apps without reading the permissions sought are also responsible for the increase in the number of `incidents' directed through mobile apps.
If people ditch apps that ask for a lot of permissions in favour of those that don't, app developers will be pushed to design apps in a way that they don't ask for unrequired permissions
As India becomes a mobile app-economy, it is important for users to understand if apps indeed require access to so much of their data and device tools.
Even if .. not paranoid about online security, you ought to be more careful about something else--mobile applications.Apps that read your contact list and your messages--including the ones about your bank transactions and one-time passwords, and access your pictures, screenshots and messenger images.
Permissions by themselves are harmless and even useful to provide users a good mobile experience. But since the list of permissions required is long and doesn't explain its effect, an immediate reaction is to treat it the way you would a `Terms and conditions' agreement--accept without reading the list and move to the next step. Skipping over these permissions could mean handing over your data to an oblivious app developer or unscrupulous data miners.
Many apps ask for a host of permissions to access data and functions they don't require. The key lies in identifying the nature of the app and questioning what seem to be unnecessary requests.
The latest version of Google's Android operating system and Apple's iOS allow users greater flexibility in deciding what permissions to give to apps.
Developers, in the process of making apps more usable, end up asking for access to too many things the apps don't require, says Bryce Boland, chief technology officer, Asia-Pacific, at cyber security firm FireEye. Some well-known brands, too, have poorly coded apps that end up compromising on security, he said.
Yuval Ben Itzhak, former chief technology officer at security software company AVG Technologies, points out that if data leaving a device via an app is unencrypted--not converted into code to prevent unauthorized access--hackers can `look inside' it and get access to passwords, credit card numbers and other personal details.This is most likely to happen on public WiFi hotspots like those at airports, malls or coffee shops.
Apps often have permission to create and save files in various locations on your devices, some of which are retained even after the apps are uninstalled. A game app that you uninstalled could have retained images in your phone gallery. Another app that also has access to your gallery can now access those images.
A lot of this unnecessary access requirement also has to do with how apps are built and monetized. To make money out of apps, companies often integrate third-party libraries that allow these external entities to push ads and other content on their apps.Attackers can leverage poorly written code or third-party libraries to gain access to a user's phone or data
The Indian smartphone market that is dominated by second-hand and low-budget smartphones is more susceptible to mobile security attacks
As consumers, if an app is free, we need to figure how its developers make money. Is it by pushing ads or by providing a premium service upgrade in exchange of money?
Consumers who download apps without reading the permissions sought are also responsible for the increase in the number of `incidents' directed through mobile apps.
If people ditch apps that ask for a lot of permissions in favour of those that don't, app developers will be pushed to design apps in a way that they don't ask for unrequired permissions
Comments
Post a Comment