App Security: The Risks are Real

By Joe Gillis, VP of Sales, GVC - 7 Nov, 2022
Cyber Security
12 Minutes Read
With their importance to a modern business’ ecosystem, applications are absolutely essential. More than just to make sales, today’s apps represent a critical link between companies and their customers — but, sadly, also an opportunity for hackers.
When it comes to mobile app security, the statistics are shocking:
  • Almost three-quarters of apps would not pass even a basic security test.
  • 83 percent of apps have at least one security flaw.
  • Mobile security vulnerabilities are found in 91 percent and 95 percent of IoS and Android apps, respectively.
With so much at stake in today’s interconnected world, data privacy is essential for every organization and individual. It is, therefore, crucial to review and practice mobile application security requirements, both in your personal use and on company networks. The following article provides a mobile app security checklist.

What Does My Phone Know About Me?

Every time you power on your smartphone, you put your data security and privacy to the test. To understand the basics of mobile app security best practices, you must first identify the smartphone features and browsing activities that can put you or your company in jeopardy.

1. The Places You Visit

Androids and iPhones both feature tracking software that can pinpoint your whereabouts at any given time. Phone manufacturers use this information for profiling purposes. The good news is, you can deactivate this feature at your discretion by changing your settings. The tracking is energy-consumptive and therefore lessens the duration of each battery-charge cycle.

2. The Things You Tell Siri

On iOS smartphones, Apple’s Siri virtual assistant remembers everything you enter and say. Each time you ask for recommendations or tell Siri about the things you like, Siri will use this information to make suggestions about places to visit and products to try. Siri will also come to recognize your voice and the way you pronounce certain words. Though the assistant uses randomized IDs to protect anonymity, Apple has admitted to spying on users through Siri.

3. Personal IDs

As a smartphone user, you can keep your passwords stored and memorized on your phone for instant access to various apps and sites. However, your carrier should not be collecting and using this information. To try and combat such invasive practices, Google announced this spring that it would allow customers to see what data smartphone apps are collecting about them.

4. Passwords

Most apps will give you the option to store your login and password info within the program’s memory. While this can serve as an easy access gateway to various other programs, it can also increase the odds of an ID leak. The safest way around this problem is to memorize your login and password info — which is easy to do if you adopt a personal date/initial code and give it a sequence of alphanumeric variations based on the first letters of the apps in question. Or, you can write down each login and password on a notepad and manually enter them into each app as you need it.

5. Messages and Texts

When you send a text or engage in an iMessage conversation over an iPhone, Apple stores the messages for an unspecified length of time. The company does this to ensure the notes go to the intended recipient. However, Apple has not specified how long this retention period lasts, be it one day or a full year.

6. Google Accounts

As an Android user, all your apps connect to Google. Therefore, each time you pull up the apps for Chrome or YouTube, your phone connects to your Google accounts, giving the tech giant access to all the information you enter into these apps from your smartphone. If desired, you can stop the company from recording your whereabouts at any given time.

7. Your Traveling Speed

Your phone records information about your habits, including the speed of your commutes between home, work and various other destinations you frequently visit for shopping or leisure. Based on your starting location, a phone can determine how long it will take before you arrive at your intended destination. The phone will also know the days and times you travel to and from work, as well as other routine activities.

Though this tracking and artificial intelligence can be convenient in certain situations, some users dislike this type of knowing talk-back from a smartphone. You can always shut these notifications off by deactivating location services in the user settings of your phone, but you will also need to disable any location-tracking apps that might be running in the background.

How Could Apps Put Me at Risk?

Mobile app security threats can arise anytime a user logs in to an unencrypted site or uses weak passwords. The following factors of smartphone usage do not stand up to mobile app security testing.

1. Unencrypted Personal Info

One of the biggest dangers of apps is the amount of private data they collect on users. For example, the Facebook messaging service WhatsApp gathered the private info of millions of users and left it in plain sight for any snooper who bothered to look into the matter. Another example is the viral FaceApp, which became the subject of intense scrutiny when users learned its development team was Russian-based. When these companies collect info without encryption, millions of users are at risk of having their credit card numbers, addresses and even their appearance leaked to the world at large.

2. Location Tracking

Another way apps gain info on users is to gather the location of each individual that interacts with them. In the case of mapping apps, there is some justification for this, since the app will need to pinpoint your whereabouts before it can accurately direct you to an address of interest. With many other types of apps, however, there is no real reason for the app to know about your address or ZIP code. Why, for example, would a recipe’s app need to know about your city or ZIP, unless the makers of said app were collecting info to send to targeted advertisers in your community? Unfortunately, many apps will not even let you sign on unless you agree to enter such info when you first log in.

3. Targeted Advertisements

Another way apps gather info to pass onto advertisers is to track user activity from site to site. Depending on your search entries and site-visitation patterns, you could find yourself inundated with advertisements for related products for months on end. For example, let’s say you visit a sporting goods site once to purchase a pair of snow boots. For the next few months, banner ads for boots, tents and other sporting goods from the website in question, as well as competing sites, could feature in your browser. When this happens, the banner ads are usually the result of profiling code app makers gather on users and site visitors.

4. Single Sign-On Gateways

One of the most convenient features of modern-day site usage is the universal login, which allows you to enter multiple sites that synchronize with tech giants like Facebook and Google. For example, if you have an account with Google and use their Gmail service for email, you can also use that account to log into YouTube and various other social media and e-commerce sites. That way, you only need one login and password to access a multitude of sites. Best of all, you only need to enter the info into Google once to store it in your browser and allow you to log in to numerous other sites, even as a first-time visitor.

However, such convenience comes with a risk. If a breach occurs with just one of these interconnected sites, it could expose your login and password data and jeopardize all your user accounts. It is, therefore, crucial to limit your use of single sign-on gateways to the sites you trust the most.

5. Calendars

When you input dates and locations into a calendar app, the info might get passed onto advertisers for targeting purposes. For example, if you mark a date on your calendar to attend a rock concert or visit a skiing resort, you could end up being targeted by local and online music vendors, streaming services and ski-supply sellers, all because of the info gleaned from your activities.

Granted, this in itself is only a minor form of info sharing, and many users do not care if innocuous calendar info gets passed to benign advertisers. The real danger is when a specific app fails to handle the info safely and passes details onward to dangerous sites.

6. In-App Purchases

One feature that can open the floodgates to dangerously high monthly bills is the in-app purchase feature, which many apps popular with children have. Gaming apps, for example, will often have a free version with basic features, plus different add-on features that you can purchase for a select amount. In some cases, an app will sell you one feature, then another and another, luring you to spend more with each successive purchase.

Purchase buttons can be tempting when the first set of add-ons opens up an array of features that enhance the speed, capabilities and overall enjoyment of the game or program in question. The dangerous aspect of in-app purchases is that you can easily lose track of how much you are spending, especially if you agree to several purchases in a single session. If you have your PayPal or Google Wallet synchronized to the app, the payments could be as easy as one, two, three.

People of all ages can fall into this trap. However, in-app purchases are most problematic when a child uses a smartphone and purchases add-on features at the press of a button. Many children, unaware of the consequences, could purchase numerous features in quick succession and leave parents saddled with three-figure or four-figure bills. For obvious reasons, you should restrict or shut off the option of in-app purchases on your smartphone, especially if you allow a youngster to use your phone.

7. Unique Device Identifiers

One tracking feature most users are not aware of is the unique device identifier (UDID), a number that identifies the smartphone of a given user. If one of your apps affixes your account with a UDID, the software will track the things you do on the phone and all the places you go with the device in hand. This info could then get leaked to advertisers. Therefore, if you spend an afternoon at the local mall and visit several clothing stores, you could end up facing a barrage of advertisements on your smartphone from said stores.

UDIDs can be dangerous if the data gets leaked to criminal third parties, such as phishing sites. UDIDs are common on Android devices, through the problem is less prevalent on iOS, thanks to actions Apple has taken.

How Can I Protect Private Info on My Smartphone?

Mobile app security issues could easily arise if you fail to take proper precautions when you log in to apps on an Android or iPhone. The following mobile app protection measures can increase your odds of staying safe.

1. Use Strong Passwords

A password should contain both uppercase and lowercase letters, as well as numbers and non-alphanumeric characters. You should use a different password for each app. To make things easier to remember, select letter combinations and number codes with a special meaning, such as the digits of your favorite dates and the initials of beloved people and landmarks.

2. Use a Security Program

With a reputable security program installed on your smartphone, you can generally ward off the average hacker, providing you follow the other safety steps. While such programs might not prevent government spying, security measures could render your device virtually hack-proof.

3. Cover Your Cameras

If a hacker gains remote access to your phone, you could get recorded and photographed without your knowledge. While the odds of this are low, the possibility has been an issue of concern for many smartphone users. To prevent this from happening to you, put tape over the camera eye on your smartphone whenever you are not actively using it for photo and video captures.

4. Unplug Your Smartphone

Whenever your phone is not in use, turn it off and keep it unplugged. Taking these steps will spare you the annoyance of unwanted phone calls when you are asleep or otherwise occupied, and also lower the odds of security breaches.

The following factors of smartphone usage do not stand up to mobile app security testing.

No data protection act has managed to yield any foolproof mobile app security features. It is, therefore, crucial to enact a range of data privacy solutions at your discretion, including the following practices.

1. Check Your Carrier’s Policies

Most carriers today have pledged to refrain from sharing customer information with third-party marketers. However, both AT&T and Verizon had previously engaged in such activities. Verizon, for example, gained info on customer surfing habits with a header-tracking super-cookie. As such, it is critical to read the privacy policy of your ISP and, if possible, decline any dubious marketing options..

2. Stick to Encrypted Sites

You can identify encrypted websites by the looking for the “https” — hypertext transfer protocol secure — extension before the URL. These four letters indicate an encrypted connection that prevents external parties from viewing your interactions with the site in question. While your ISP will only be able to view the domain name and nothing more, this could be revealing if the site is politically themed. If you are unsure about the security of your connection, consider using a virtual private network for select surfing activities.

3. Use Different Search Apps

To prevent Google from collecting too much info on your user activity, log out from time to time and use other search apps. This practice can be especially wise whenever you engage in browsing activity that you would not want to fall into the hands of advertisers or any other third-party entities.

Work with New Era Technology for the Best Mobile App Security

Despite the range of application security best practices users can enact in this day and age, it is still challenging to ensure the data security and privacy of the information on your smartphone or company network. Contact New Era Technology today to learn more about our IT Services at

Author: Joe Gillis, VP of Sales, GVC

Joe Gillis, a graduate of Loyola University, began his career with FTG Technologies, a New Era Technology company, in 2010 as an Account Executive. After proving his skills in team-building, client interaction, and developing strategic relationships, he was promoted to Sales Manager in 2012. Today, Joe continues to lead the sales team and serves as a member of the senior management team. When Joe isn’t leading the sales team he enjoys time with his young family and is an avid golfer. Prior to joining FTG, Joe worked for the PGA Tour within Tournament Operations.

© 2024 New Era Technology  |  Privacy Policy   |  Cookie Policy   |  License Number: MA 7190-C