How Safe are We from Our Apps?
Like many others in the tech community, I applaud Apple’s efforts to encrypt the iPhone to protect our privacy. But there’s been noticeably little attention given to the impact of apps on that same privacy.
I’ve always been surprised at how many permissions some apps requests before they can be installed. They typically request access to our contacts, location, calendar, email and sometimes even our mic and camera. Yet, rarely do the apps explain why they need all of this information or what they plan to do with it. In fact, many of the items they ask to access have no bearing on the app’s functionality. I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item.
So the question is, how serious an issue is this when it comes to protecting our privacy and how do Android and iOS phones compare?
I posed this question to Amit Ashbel, a Cybersecurity professional with Checkmarx.com. The Israeli-based company provides services that review software code for vulnerabilities and has published a notable report on this subject, “The State of Mobile Application Security, 2014-2015”.
He pointed out mobile apps have two main attack vectors: (1) The operating system and (2) The application installed on the device.
Ashbel noted Apple does a good job in securing its operating system and significantly limits the user’s access to core OS level controls. Google takes a different approach and enables more flexibility which, at times, might expose the OS to more risks. Neither Google nor Apple do a good job in securing the apps, because neither company seem to analyze the apps for security vulnerabilities they may expose the user to.
The task to analyze code is obviously immense. The iOS platform alone has more than 1.5 million unique apps, downloaded over 75 billion times!
But according to Ashbel, the vulnerabilities exposed by the apps are less a result of the developers intentionally compromising our data and more the result of poor coding that allows others to attack our phones and obtain that personal data.
The Checkmarx and AppSec-Labs study identified the top seven development sins based on testing hundreds of applications of all types, from banking to games to utilities:
1. Authentication/Authorization – Acting on or accessing data without sufficient permissions, such as bypassing the security pin code and allowing access to personal information
2. Availability – Issues resulting in denial of service from the application or part of it that can result in crashes
3. Configuration Management – Incorrect or inappropriate configurations
4. Weak Cryptography – Breaches related to insecure ways of protecting data
5. Information Disclosure – Exposure of technical information such as application logs
6. Input Validation Handling – Results of mishandling data received from the user
7. Personal/Sensitive Information Leakage – Exposure of personal or other sensitive data such as passwords, documents, credit card numbers, etc.
In comparing iOS and Android, the report finds few differences:
It is a common myth that the iOS development platform is more secure than the Android equivalent for several legitimate reasons:
a) iOS has more restrictive controls over what developers can do and tight application sandboxing
b) iOS applications are fully vetted before being released to customers – preventing malware from entering the Apple App Store
Yet, in the field of pure application security where vulnerabilities are built in the code or into the application logic, the story is quite different.
Our statistics show the distribution of vulnerability exposed by severity is almost identical between iOS and Android applications with a slightly higher percentage of critical vulnerabilities in iOS applications.
40 percent of iOS vulnerabilities were critical or of high severity, compared to 36 percent of the Android vulnerabilities.
The conclusion is there’s more vulnerability from apps, due to the way they are coded, rather than from intention. But, because of poor coding, it’s even more of a reason not to provide access to information not needed for the app to function properly.
What does Ashbel do when loading apps on his Android phone? He reads the permissions carefully and, if they ask for access to information not needed, he says no.
One would think as part of the approval process to allow an app to be sold in their stores, both Apple and Google would require the permissions asked by the apps are just what’s needed. Perhaps they need to begin examining the app’s code in greater depth. After all, Apple has raised the importance of securing the personal information on our phone and that should include all areas of vulnerabilities.