How Safe are We from Our Apps?

Like many others in the tech community, I applaud Apple’s efforts to encrypt the iPhone to protect our privacy. But there’s been noticeably little attention given to the impact of apps on that same privacy.

I’ve always been surprised at how many permissions some apps requests before they can be installed. They typically request access to our contacts, location, calendar, email and sometimes even our mic and camera. Yet, rarely do the apps explain why they need all of this information or what they plan to do with it. In fact, many of the items they ask to access have no bearing on the app’s functionality. I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item.

So the question is, how serious an issue is this when it comes to protecting our privacy and how do Android and iOS phones compare?

I posed this question to Amit Ashbel, a Cybersecurity professional with Checkmarx.com. The Israeli-based company provides services that review software code for vulnerabilities and has published a notable report on this subject, “The State of Mobile Application Security, 2014-2015”.

He pointed out mobile apps have two main attack vectors: (1) The operating system and (2) The application installed on the device.

Ashbel noted Apple does a good job in securing its operating system and significantly limits the user’s access to core OS level controls. Google takes a different approach and enables more flexibility which, at times, might expose the OS to more risks. Neither Google nor Apple do a good job in securing the apps, because neither company seem to analyze the apps for security vulnerabilities they may expose the user to.

The task to analyze code is obviously immense. The iOS platform alone has more than 1.5 million unique apps, downloaded over 75 billion times!

But according to Ashbel, the vulnerabilities exposed by the apps are less a result of the developers intentionally compromising our data and more the result of poor coding that allows others to attack our phones and obtain that personal data.

The Checkmarx and AppSec-Labs study identified the top seven development sins based on testing hundreds of applications of all types, from banking to games to utilities:

1. Authentication/Authorization – Acting on or accessing data without sufficient permissions, such as bypassing the security pin code and allowing access to personal information

2. Availability – Issues resulting in denial of service from the application or part of it that can result in crashes

3. Configuration Management – Incorrect or inappropriate configurations

4. Weak Cryptography – Breaches related to insecure ways of protecting data

5. Information Disclosure – Exposure of technical information such as application logs

6. Input Validation Handling – Results of mishandling data received from the user

7. Personal/Sensitive Information Leakage – Exposure of personal or other sensitive data such as passwords, documents, credit card numbers, etc.

In comparing iOS and Android, the report finds few differences:

It is a common myth that the iOS development platform is more secure than the Android equivalent for several legitimate reasons:

a) iOS has more restrictive controls over what developers can do and tight application sandboxing
b) iOS applications are fully vetted before being released to customers – preventing malware from entering the Apple App Store

Yet, in the field of pure application security where vulnerabilities are built in the code or into the application logic, the story is quite different.

Our statistics show the distribution of vulnerability exposed by severity is almost identical between iOS and Android applications with a slightly higher percentage of critical vulnerabilities in iOS applications.

40 percent of iOS vulnerabilities were critical or of high severity, compared to 36 percent of the Android vulnerabilities.

The conclusion is there’s more vulnerability from apps, due to the way they are coded, rather than from intention. But, because of poor coding, it’s even more of a reason not to provide access to information not needed for the app to function properly.

What does Ashbel do when loading apps on his Android phone? He reads the permissions carefully and, if they ask for access to information not needed, he says no.

One would think as part of the approval process to allow an app to be sold in their stores, both Apple and Google would require the permissions asked by the apps are just what’s needed. Perhaps they need to begin examining the app’s code in greater depth. After all, Apple has raised the importance of securing the personal information on our phone and that should include all areas of vulnerabilities.

Published by

Phil Baker

Phil Baker is a product development expert, author, and journalist covering consumer technology. He is the co-author with Neil Young of the forthcoming book, “To Feel the Music,” and the author of “From Concept to Consumer.” He’s a former columnist for the San Diego Transcript, and founder of Techsperts, Inc. You can follow him at www.bakerontech.com.

43 thoughts on “How Safe are We from Our Apps?”

  1. “Yet, rarely do the apps explain why they need all of this
    information or what they plan to do with it. In fact, many of the items
    they ask to access have no bearing on the app’s functionality. I’ve yet
    to come across an app that allows us to selectively accept or reject
    these permissions item by item.”

    You’ve never used IOS, then. Android is built on Google’s business model of surveilling you in order to sell ads. So naturally you are asked to give permission to the entire laundry list of things an app asks for up front.

    on IOS, you are asked to give access to private data one thing at a time, and only as the app tries to access each thing for the first time. IOS’s privacy controls also provide granular control, so if you say “no” to something and then realize you should have said “yes,” or vice versa, you can change it easily.

    I continue to be utterly bemused by all the tech writers who talk about protecting their private data, but it turns out they are heavily invested in Google’s services and Android, to the point of not realizing that other ecosystems do things differently. Is it Stockholm syndrome? Or some kind of digital toxoplasmosis, created by Google and injected into your private veins when it inserts its data proboscis, so the presence of the privacy-eating predator in your living room causes contentment rather than fear?

    Because, news flash: it’s perfectly possible to live digitally without using Google for anything. You can say no to gmail, no to google docs, no to Google plus if you were silly enough to sign up for it in the first place. You can refuse the privacy sucking proboscis insertion procedure. It’s not hard, it’s not painful. For the hard core, there are even non-google search engines, believe it or not.

    1. Even better, you can even use Android and avoid Google stuff completely, just change your defaults.

      Also, some OEM versions (Huawei at least, that’s mine), and Android’s upcoming new version, have post-install rights management. Hardcore users can/should root and install the Xposed framework or somesuch.

      I don’t think many users, whether Android or iOS or anything else, read the EULA before installing though. And everyone’s still vulnerable to privilege escalation exploits such as this one: http://www.itworldcanada.com/post/sandbox-bug-in-apples-ios-affects-mdm-systems

      1. “you can even use Android and avoid Google stuff completely, just change your defaults.”

        Well yes, the Vampyre car(TM) is designed to run on human blood drained from the body of the driver, but all you have to do is disable the blood draining protocols before you get into it and it’s a perfectly safe and fun car to drive.

        1. Monsieur, you fail to see that changing all your defaults (to mimic iOS) and rooting your device is “even better.”

    2. Not always. A recent app I installed on my iPhone, Meeting Mogul, provides auto dialing for conference calls. Yet it requires access to the address book, even though it’s not needed to make the calls. While Apple does alert you to the access requests, many apps will not work without providing permissions.

      1. I am shocked, shocked to discover that a phone dialling app would want to have access to your contacts list.

        Also, “not always” what? I did not dispute in any way your assertion that many apps are too greedy about wanting access to personal information, nor did I dispute the point that apps should not utterly refuse to work if you say no to their demands for your info.

        You complained in your article, “I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item.”

        This is a state of affairs that exists on Android (all permissions must be granted at once, in advance, no granularity), but the complete opposite of that state of affairs exists on IOS.

        Charitably, I assumed that you were ignorant of how things work on IOS, and pointed out your error. Now I learn that you are in fact familiar with IOS. And your response, by ignoring the substance of my comment and instead nitpicking something that I did not actually speak to at all, suggests to me one of two possibilities:

        1. You made a mistake, but are not able to admit it because ego. In which case, do grow up.

        or,

        2. You were playing fast and loose with the truth, and are trying to distract from that fact by trying to divert the conversation in another direction. Classic troll behaviour. In which case, shame on you, and shame on the site owners for allowing you to post..

        1. The facts are that most users simply download apps and accept their requirements automatically. They assume that Apple or Google have approved the apps, so they need not worry. Yet the gist of the column is that a large number of the apps can cause serious problems.

          In the case of the app I cited, it dials the conference number and the conference code, so it has no need for the phone numbers in the address book.

          1. You committed the grave sin of pointing out that iOS’s security is about as bad (or as good) as Android’s. The hordes will now descend upon you. For once it’s not on me, and I’m all out of popcorn…

            Stay strong and truthful ;-p

          2. I hope you were able to cope. But you managed to ride in and defend all things Google on PhillpGBaker’s behalf.

            I’m just curious what you do when you’re not defending Google? Are spending all your time scouring the Internet to remedy Android injustice?

          3. Could be worse, I could be an anonymous troll with nothing better do to do and contribute than anonymously criticizing others ?

            Or I could be someone who upvotes those.

          4. Yet another nonresponsive reply. You are still unable to admit that you misrepresented the facts of how privacy permissions work on IOS in your article. Caught with your pants on fire, and you stand there saying “look over there!”

            Yes, most people just accept whatever the app asks for without thinking or questioning why it wants to know that stuff. Apple really should crack down on apps that demand access to your data for no good reason (not even in a world of elves and fairies is Google ever going to do the same).
            .

          5. Well, I don’t see you admitting to your pants on fire for so grossly lying about what my Android phone can do w/ after-the-act, granular permissions… Pot, meet kettle ?

            As for Apple not doing something about permissions being OK, and Google not doing anything either *because they are evil*… Same issue, same (non-) actions… either both are evil, or none are. Elves and fairies don’t apply, this a the real world, and these are the facts : Apple an Google do the same.

          6. “Pot, meet kettle”

            I have never used android. I have, however, read about the differences between its approach and that of IOS with regards to apps asking for access to personal data.

            I did my best to only speak to the things I knew of personally or had read about. I see that by mentioning the privacy settings on IOS, I inadvertently implied things that are not so about the privacy settings on Android. I am sorry about that.

            The facts insofar as I know them or have been informed of them:

            1. On Android, either upon installing an app or upon first launching it (not sure which), you are presented with a single dialog with a laundry list of all the data types (location, contacts, etc) that the app wants to have access to. You either say yes to everything or no to everything — there’s no granular choice presented to you *by the app*. If you want to say yes to the reasonable things and no to the unreasonable things, you have to dive into settings.

            2. IOS takes the 100% opposite approach: apps ask about each data type individually, so you have granular control over the app’s access to your data without needing to put on the propeller hat and go into settings. Furthermore, you are only asked about each data type when the app first tries to access it, rather than when the app launches. So, if there’s some obscure feature hidden in a hamburger menu that wants to access your photos, you will only be asked to give access to photos if and when you invoke that feature.

            The difference in approaches between Apple and Google in how their OS’s ask for access to personal data speaks volumes about the differences in how they respect or don’t respect your privacy. But I don’t expect you to be able to set aside your bias long enough to admit that.

            I somewhat regret the pants on fire remark, but not enough to go up and edit my comment — either Mr Baker is being duplicitous, or he is displaying a truly stunning lack of maturity in his inability to admit to being wrong.

          7. As opposed to your ability… to persist in being wrong, and unapologetic about it.

            You don’t know what you’re talking about. I don’t get asked about permissions when apps launch, but on first access. Exact same as on iOS. But I have the extra possibilities to 1- go into settings and do a full review by app or permission if/when I feel like it and 2- replace all the Google stuff with something else. At least that 2- is impossible on iOS.

            The non-difference in approaches between Apple and Google in how their OSes ask for access to personal data **and let users switch to whichever app they want** does speak volumes about how they respect privacy (the same) **and choice** (not the same). But I don’t expect you to be able to set aside your bias long enough to admit that.

            As you say “I don’t expect you to be able to set aside your bias long enough to admit that.”, even when your facts are dreadfully wrong, and you analysis/opinion based on them, worthless.

        2. “news flash: it’s perfectly possible to live digitally without using Google for anything.”

          Bingo.

          With the exception of Dark Skies and the PBS app, I have not installed any third party apps that require access to the internet to function. I have denied ALL requested access to every iOS app I’ve ever installed and I have suffered no ill effects.

          I see no point in apps that simply ape the functionality of the internet (YouTube, Google Maps, etc.). Why should I suffer tracking and advertising when I can access the same info through Safari and block all that crap?

          Every app I’ve ever downloaded was run for the first time with my iPad in airplane mode. If the app complained and didn’t function, it was deleted.

          If you hate coughing up data to who-knows-what as much as I do, simple precautions are all that is required.

          1. Point in using “apps that ape the Internet”:
            – gmaps: offline maps, real-time directions w/ voice
            – youtube: offline videos, “share to” option, automatic upload w/ queueing for when back on wifi, better caching for when in a tunnel.
            – all apps: faster, smoother, more reliablen, generally more connection-independent (caching)

            See the point now ?

            Most people don’t go to the trouble of setting up sandboxes to test apps in. Your case is… interesting, but I doubt it reflects anybody’s practivces but yours, hence it is fairly irrelevant to the discussion.

        3. “This is a state of affairs that exists on Android (all permissions must be granted at once, in advance, no granularity),”

          say whaaaaaat ?

          1. The author stated “”I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item.”

            G-Q stated “on IOS, you are asked to give access to private data one thing at a time, and only as the app tries to access each thing for the first time.”

            We’re talking about giving permissions to each item, one at a time, not talking about giving permissions app by app. How does your screen shots show that Android allows an app’s user to turn on permissions one item at a time for that app?

          2. the commenter stated “on Android all permissions must be granted at once, in advance, no granularity”

            I’m talking about that statement, which is utterly false.

            Also, on my Android, you get asked to give permission one category (contacts, location…) at a time, the first time an app tries to access that category, for sensitive stuff (contacts, location, notifications, SMS, asking for all 30-ish categories would be cumbersome). So even then…

            And that’s exactly what the screenshots show: I can turn off gDrive’s right to read contacts, read SMS/MMS, …, Modify contacts, and the list scrolls down for another couple of pages off itemized rights I can turn on, off or “ask”. I can even control which apps are allowed to start services/daemons at startup, that’s the first item on the first screenshot.

          3. Nobody disputes what your screenshots show – which is that when you go into a “permission manager” or a settings app, you can turn access on or off to various items/categories on an app-by-app basis.

            But your screenshots don’t show the issue that was being disputed, that “you get asked to give permission one category (contacts, location…) at a time, the first time an app tries to access that category, for sensitive stuff.” If what you assert is truly the case for Android, then the author’s statement that “I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item” is false for both iOS and Android.

          4. It’s not application-level, it’s OS-level, both for iOS and Android.

            The author is saying this should be done by the apps, not the OS.

          5. Obarthelemy is using Android Marshmallow, which is the first version to adopt an IOS-style “ask for permission when the app first tries to do something” approach to permissions.

            Philip Baker, like 90% of people with android today, is using an older version that uses the monolithic “here’s all the stuff this app needs to access, installing means you give permission for everything at once, be grateful that we have given you a hidden settings panel to adjust things afterward” approach to permissions described in the article. This is the system that I had previously read about, so I did not realize, until doing some googling this afternoon, that the article was describing an outdated version of Android.

            Evidently recently someone in Google decided that most people just mindlessly tap “yes” so they didn’t need to be sneaky anymore about getting permission to insert the privacy draining proboscis. Or else it’s yet another case of the contradiction in Google between the engineers who try to do the right thing (ie, they saw that Apple’s system was better and copied it) and the marketing department that does whatever is good for ad sales regardless of how wrong it may be.

            Why Baker did not inform himself of the state of affairs on IOS or on other versions of Android before writing his article is another question. Why Obarthelemy is obsessed with accusing me of being a liar, but not with accusing Mr Baker of being a liar, and why he has selective amnesia about how his handset used to work before the latest update, are also other questions.

          6. 90%? More like 98%! Marshmallow just reached 2.3% adoption as of the week ending March 7th.

            Bottom line, “someday” maybe Android phones will be like iOS phones with regard to permissions, and despite what Mr. Baker implied and what obarthelemy claims, it’s not the same for 98%, or nearly all, of Android users today.

          7. Well, you and Mr. Baker should figure out who is right and who is wrong about his statement –“I’ve yet to come across an app that allows us to selectively accept or reject these permissions item by item.” Then let us all know when you’ve got it figured out and provide some screenshots, so we can rid ourselves of the thought that Android is second-class.

          8. You’ve had screenshots proving that everything that’s been said is a best untrue, at worst a willful lie.
            You’ll never get rid of the thought that Android is second class: you’re unable to see facts for what they are, and/or you don’t want to.

            My Android has the exact same rights management as iOS, plus the ability to switch off all Google stuff and set whichever default I like, thus is vastly superior to iOS on that front. If you can’t fathom that, well… enjoy your your delusion.

          9. So what Mr. Baker said is untrue about Android (and iOS). I doubt he willfully lied because he has usually experienced Android apps choosing not to use what Android provides by still presenting an all-or-nothing choice to the user (as shown above by his Yelp screenshot).

            If people buy an Android-based smartphone but don’t trust Google, then the ability to switch off all Google stuff, in order to be safe, is a very much desired and useful option.

          10. Wrong. Again. I’m on 4.4.

            Sorry about facts, keep trying though this is entertaining. How many times have you been debunked by now ? I think the fire is reaching the underpants, or worse.

          11. Maybe the per-app view will make it clearer than the per-right view.

            Chrome asks for 3 permissions: location I granted definitively, taking photos and recording sound it has to ask every time. The other 25+ permissions (read/write contacts, texts, files…), Chrome doesn’t even ask for

  2. I think App Security is a multidimensional issue:

    1- There’s the severity axis. An app spewing up full screen ads or notifications is bad, but stealing contacts+location+browsing history is worse, stealing private data (bank credentials, logins…) is even worse, and deleting/ransoming data probably the worst

    2- There’s the acceptance axis: An app doing semi-nasty stuff that I accepted (broadcasting my current location, inserting popups, gobbling up data…) is bad, the same when I didn’t specifically allow it is much worse.

    3- there’s the straight play axis: apps that skirt guidelines are bad, apps that exploit vulnerabilities to break out of their sandbox are worse

    And app security is only one level. There are levels for Web, ecosystem, cloud, and legal security too. Most apps have a Cloud component these days. My device can be tight as a drum, as long as my data is backed up to someone’s servers using someone’s unaudited/closed-source app, it’s very vulnerable.

  3. Note that Yelp requires all of these permissions, including the mic, in order for the app to be used.

    1. How have managed to live without Yelp for all these years?

      Oh that’s right: I’m not a clueless knuckledragger who needs to document and share every thought I’ve ever had online.

      Yelp: crowdsourcing worthless opinions.

      1. The point is that many popular apps present an all or nothing choice such as this. This thread is not about the worthiness of a particular app.

  4. Wow, this blog is like a rocket launching into the universe of endless possibilities! The captivating content here is a captivating for the mind, sparking curiosity at every turn. Whether it’s technology, this blog is a source of inspiring insights! #MindBlown Embark into this thrilling experience of imagination and let your imagination soar! Don’t just enjoy, savor the excitement! #BeyondTheOrdinary will thank you for this exciting journey through the dimensions of endless wonder!

  5. Wow, this blog is like a cosmic journey launching into the universe of endless possibilities! The mind-blowing content here is a rollercoaster ride for the mind, sparking awe at every turn. Whether it’s lifestyle, this blog is a goldmine of exhilarating insights! #MindBlown into this thrilling experience of imagination and let your mind soar! ✨ Don’t just read, experience the thrill! Your brain will be grateful for this thrilling joyride through the realms of endless wonder! ✨

  6. Wow, fantastic weblog structure! How long have you been blogging for?
    you made running a blog glance easy. The total glance
    of your website is excellent, as well as the content material!
    You can see similar here sklep online

Leave a Reply to PhilipGBaker Cancel reply

Your email address will not be published. Required fields are marked *