This is the second article in the 3-part series on mobile app security. To enter the back alleys of the mobile app world do read the first part of the series titled, ‘Civil War: Apps vs You’.
Your privacy in terms of personal information is endangered by the never ending permissions apps request for, APPocalypse in short. Of course one could argue that apps after all, require permissions to access your data so that they can do what they are built for. Instagram’s request to access phone camera and photos so that photos can be edited is plausible. Uber app requiring user location also makes sense. But why does Uber require access to a user’s contact list as well? Uber can now use your contacts information to send special offers to friends and family. Flipkart’s mobile app requests for permissions to access Contacts and SMS. This means that Flipkart can access your contacts, the frequency at which you call and e-mail individuals.
Often permissions requested are not at all in sync with the core function of the app. Apps today demand blanket access to just about everything the phone knows about you and some apps make money off selling sensitive consumer data be it your contacts, browsing histories, or photos.
All the data accessed from mobile apps are transmitted between devices and servers. This data can be accessed by hackers, especially when transmitted data is not encrypted including passwords, credit card numbers and other personal details. They are app builders not Blackberry. Fortifying their servers and ensuring security is not top priority for most apps. Many recall the security scare when Truecaller app was hacked into by the Syrian Electronic Army giving them access to contacts and (Facebook, Twitter, LinkedIn and Gmail) accounts of millions of users globally.
Here is another disconcerting fact for you. App makers tend to re-use third party code in their apps rather than building them from scratch. In this way apps tend to solicit permissions not related to their core function and also any inbuilt flaws get passed on. Such vulnerable applications then are open to malicious attacks. Without your knowledge, malware can make charges to your phone bill, send unsolicited messages to your contact list, or give an attacker control over your device. Mobile malware often taps vulnerabilities or bugs in the design and coding of the mobile applications they target. Popular applications are repackaged into “rogue apps” containing malicious code and are posted on third-party app stores. According to G DATA’s mobile malware report, number of malware programs has risen to over 2.5 million by the end of 2015, and is still on the rise. We have reached a stage where nothing is private anymore and there is utter chaos when all your information falls into the wrong hands; Contacts and photos misused, millions stolen from banks in the blink of an eye, identity thefts. It destroys the very order in which the world operates. How do we impede this privacy extinction? Find out in the upcoming article ‘Privacy wars: The Force Awakens’.