Infosec Professional’s Guide to Managing Smartphone Apps

January 20, 2016 | Views: 6526

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Smartphones make our lives easier and keep us entertained with a wonderful array of apps.


Testing Apps

Given how much information is on our phones, it’s of little surprise to see the rise of malware, spyware and viruses. Even though each of the major vendors verifies uploaded apps, it’s pretty easy to sneak in malicious code. For security pros, it’s key to test a few Smartphone apps.

Test a Wallpaper

For fun, I like to to check the app stores for various companies and see what apps made it into the fold. I like to know what horrible things are being download by users. Let’s take a look at an app I tested:

Wall Paper

  • The description for the app I tested is “400 Hot Wallpapers!” Yeah, we can probably see where this is going…
  • The application had a rating of 4.1 our of 5, with over 226 people rating it. The worst reviews just complained of popups, which is not uncommon for free apps.

App Permissions

Whoa! My network scanner app has less permissions! This app could:

  • Use your location (Why does a wallpaper app need my location?)
  • Use your read – front facing camera (What, what?)
  • Use your microphone (My wallpaper is listening in on me now?)
  • Use your contacts (I guess it’s a very social wallpaper.)
  • Use your media library (This is common for any media based app.)
  • Use your phone (…..)
  • Use the appointments in your calendar (The app has places to go.)
  • Send push notifications (Probably because of the popup banners.)

Breaking this down, this free wallpaper will not only run pop up ads (causing issues of their own), but it can use my front and rear camera, listen in anytime, make calls, spam my contacts, know where I am, check my appointments, etc. This is why people worry about “Big Brother”.


Knowing How App Stores Work

Let’s take a look at the App Stores (from a Developer’s Point of View).

Google: Google phones are one of the easiest ones to upload apps to. For a one-time $25 developer fee, you can upload your APK file. Google does some file checking and a decent job scanning your files, adding those notes to your application. Google, however, doesn’t vet any apps.

Apple: Apple is one of the tougher ones. They’ll scan your app and have someone check it before uploading.

Microsoft: Microsoft is pretty much like Apple. They’ll do a scan on an app and have a live person check it to make sure it does what you say it will (for the most part).

Truth be told, it’s not very hard to sneak something past any of these vendors (though Apple seems to be a little tougher).


Understanding End Users

An average person’s Smartphone significantly affects their lives. Their phones facilitate communication and carry personal numbers, work contacts, notes, emails, photos, locations, tasks, books, etc.

To protect their data, they set passwords. Some even have biometrics or facial recognition to unlock their phones. They might also have a remote lock, wipe, alarm or GPS tracking for lost or stolen phones. It’s equivalent to having a brick wall surrounding their house with a reinforced front door, deadbolts and a ravenous guard dog for good measure. They’re locked down and secured! Except, someone left the back door open…

End users may ask you, “What’s the point in having a Smartphone if apps can’t be installed?” I’m not saying people shouldn’t install applications, but they should think about what’s really being installed.

On the surface, most apps look great. But, the ugly truth is that people under-examine what they’re installing – reading only the description, screenshots and maybe some reviews. Often, people will leave comprehensive reviews (once you get past the usual internet troll) that breaks down the application in great detail. The problem is those people also rarely understand what they’re installing.

I’ve even seen IT professionals rushing to install the “hot” new Mario clone or sexy wallpapers without scrolling down the long, boring text that eventually explains what the app is really going to do. I can’t blame people entirely for skimming. It’s a bit like reading wordy disclaimers every time you install a piece of software. But, for apps, IT’S WORTH IT.


Final Thoughts

As a security pro, take the time to know the dangers of apps. Work with end users to review ANY application they install on their phones. After all it’s not only their data you have to worry about, it’s yours too if they have your information on their phones.


More awesome content…

The Comprehensive Guide to Ethical Hacking



Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. This was a great reminder RoninSmurf. The equivalent of RTFM, and you wont be surprised by what you get. How many times do users, myself included at times ofcourse, fall for the “shiney” packaging while we are sucked in to the ploy. The “approved” apps often the equate to just another form of privacy ripping malware. Thanks for your thoughts RoninSmurf.
    Keep on writing and submitting!

  2. Good read, thank you

  3. Security should be the main concern and responsibility of the company (Apple/Microsoft/Google) who are allowing these malicious apps to do “extra” data gathering and push / create premeditated malicious apps. It’s like saying, yes I know this car will kill innocent people, but I’ll go ahead and allow it because I don’t care who it will hurt, I just care about getting the car out there and making money. New rules and laws should be enacted into what these apps can and can’t do. If they get caught there should be an automatic fine to that company and also be considered a breach of data for that company not getting the app they are allowing users to download! Responsibility should lie with the company that approved the app to be on there platform!!! The risk should not be transferred to the user as they are unaware of the dangers of these apps, but the company should be according to standards and rules that should catch these apps that are malicious. Again, fines should be assessed to irresponsible app makers and app download platforms.

  4. @RoninSmurf. Thanks for this important piece. This is something that dreadly evolves in our everyday tech-Lives which has been of a greater concern to me. Some friends have asked me, why did I go into IT, when the only thing I do is question and raise eyebrows about tech-Works. Truth be told, there are bad guys out there who find pleasure in what they do. I am more concern about everything that says data__ranging from the Cloud to our Telephone System…which is why I rarely download apps. For the most part, I would say due to personal security; but like you mentioned above, the word has to go out like wild fire. People need to understand what they are signing up for; because not only are they risking exposure of all their personal information but also that of others sitting on their devices. THESE APPS ASK FOR SO MUCH THAN WHAT THEY NEED*** “COULD THERE BE STRINGS OF ULTERIOR MOTIVES BEHIND THIER REQUEST”??? THE ANSWER IN PLAIN TEXT IS–YES!!! I WOULD CONSIDER THIS ACT AS MALICIOUS.

  5. I must commend the effort of the writer to bring this issue out. The vast majority of technology users are unaware of security let alone how their security could be compromised by the apps they install. Some of us, even in the security domain, are aware but simply just don’t care to give detail attention to their activity. The common argument is “We’re already exposed in one way or another” and they hold that sentiment until they see or hear of someone falling victim due to negligence and nonchalance attitude toward these things. I believe the case for security is getting stronger by the day though and we ( in the security domain ) must spear-head the campaign for vigilance and responsible technology usage in order to ensure safe atmosphere for all.
    Again, I think the major challenge is that the more security you have, the less comfort and freedom and comfort/freedom is a natural option for people, than security that comes with restrictions and restraint.
    Hmmm…. User Discretion is Advised!!!

Page 3 of 6«12345»...Last »
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?