Managing mobile security: There's no such thing as a free app
- By William Jackson
- Jul 09, 2012
Agencies moving to mobile platforms need to beware of anyone bearing gifts. Trojan apps — applications that contain malware — are the primary means for infecting mobile devices, fueled by an apparently endless public appetite for free software.
“They make it look enticing,” said John Harrison, group manager at Symantec Security Response. “But you’re really getting nothing for free these days.”
The unexpected cost of free apps can include bills for text messages to premium numbers, having information and contacts on your device shared, and having your location and online activities monitored by who knows who.
BYOD security: Are agencies doomed to a permanent game of catch-up
The line between legitimate and malicious apps is fuzzy. Many legitimate apps gather more information than you might like for perfectly legal, even if unpopular, use by vendors. Others are benign, but might be badly written with unintended bugs and vulnerabilities. Others are downright bad, exploiting your device whether delivering the promised functionality or not.
The good news is, you should be in control of what applications are downloaded and installed on your device, and the apps must ask for permission to access the device’s systems and functions. Unfortunately, many users download cool toys and tools indiscriminately, with predictable results.
Apple controls the legitimate apps available for its iPhone and iPad, so for the time being the risk of infection is less on this platform. But the increasingly popular Android operating system allows third-party applications to be downloaded from anywhere, and it is the primary target for malware writers.
Be skeptical of what you download and pay attention to the permissions requested. A case in point: Flashlight apps. They are a fun and useful. They typically use your phone’s camera flash capability to provide a steady bright light. I would imagine this plays havoc with your battery life if used for very long, but it should be a simple and benign application.
But a look at two free flashlight apps, more or less at random, from appbrain.com shows some suspicious activity.
The TeslaLED Flashlight requires hardware control permissions to take pictures and control the flashlight, as well as permission to display system-level alerts and prevent phone from sleeping. These seem reasonable, and the app got a user rating of 4.5 out of 5 stars. But the Brightest Flashlight Free was flagged with a user warning about its excessive permissions.
Among the permissions required to install Brightest Flashlight, in addition to controlling the flash and preventing sleep mode, are:
• Location monitoring through both coarse network-based technology and GPS.
• full Internet access and access to the Wi-Fi state.
• Ability to modify and delete SD card contents.
• Permission to read phone state and identity.
• Installing and uninstalling shortcuts and reading home settings.
• A long list of permissions to read settings.
Why a flashlight needs Internet and Wi-Fi access and the ability to delete data is not explained. Yet the product still got a user rating of 4.7 out of 5. Only one negative reviewer commented, “Suspicious permissions for a flashlight app.” Two other unfavorable reviews complained only about the app’s lack of performance on some platforms, while the rest raved. “DEFINITLEY the Brightest Flashlight out there.”
Bottom line, pay attention to what you are installing. Note not only what it says it does, but what it asks permission to do. Pay attention to the reviews, but you probably can skip over the five-star comments — you know what they are saying — and go directly to the unfavorable ones. If someone else had suspicions, maybe you should, too.
Cohn offered this advice for avoiding mobile malware:
• Download apps only from the regulated Android marketplace.
• “Rooting” devices is bad. Once you have opened a protected device to unauthorized downloads, you’ve opened it for everyone.
• Pay attention to the requested permissions, be suspicious of overbroad permissions.
• Use mobile security products.
William Jackson is freelance writer and the author of the CyberEye blog.