NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING

NowSecure MARI is the industry’s first simple risk score based on millions of assessments that identifies third-party apps vulnerable to PII and IP exfiltration, supply-chain and MiTM attacks and sensitive data theft.

MARI Datasheet featured image 768X480
NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy Show More
magnifying glass icon

Mobile App User Privacy & Security: What You Need to Know

Posted by

Whytnee Bush

Mobile AppSec Advocate for NowSecure
Whytnee Bush serves as a mobile appsec advocate for NowSecure, and is passionate about a variety of issues including consumer protection. When she’s not spreading the word about app security, she can usually be found reading, swimming or playing cards.

As an everyday app user, I love the convenience of managing routine tasks through shopping apps, calendar apps, banking apps, and more. While 2020 drags on, employers, government services and retailers have embarked on or accelerated digital transformation — putting mobile apps to the forefront.

However, mobile app convenience can sit at the opposite end of the spectrum of privacy and security. Privacy is defined as, “the state of being free from public attention.” In the app realm, privacy is commonly associated with location data or an app user’s personal identifying information (PII) such as email, password, or credit card number. Security is defined as, “the state of being free from danger or threat,” and in apps is compromised by issues such as unencrypted data and improper authentication.

Often privacy and security are considered one and the same, and they are in fact intertwined. Privacy is about protecting your information and data, and security protects that information from getting into the wrong hands. In other words: you can have security without privacy, but cannot have privacy without security.

Who owns and protects digital information has become hotly debated, and in turn, public awareness of privacy and security issues has put more control into the hands of individual app users. Here we cover how regulators and app publishers address privacy and security, and what mobile app users can do on their own to keep themselves safe from insecure apps.

Privacy and Security: Who Holds the Keys?

In recent years, very public and embarrassing data breaches have become increasingly frequent. These news stories have captured the attention of casual mobile app users and increased concern of privacy and security issues.

Regulators pay special attention to privacy issues and industry-specific U.S. laws that safeguard financial and health information. More generalized data privacy laws are currently a work in progress, though common privacy regulations exist. In addition, the incentive to create private and secure apps is growing. Per my colleague Jenifer Bauer’s 2019 blog:

Apple and Google [in 2018] began requiring mobile app developers to provide clearly written privacy policies for each app as part of the store approval process. The policies must specify what data is collected, if it is shared with third parties, and how users may request deletion of data. Mobile apps often collect personally identifiable data and other information, such as geolocation data and usage habits.

Apple announced in November 2020 that it will also require apps to provide essential privacy information. This empowers mobile app users with more control of their information and the knowledge of what data is being collected and how it is shared.

But how can these apps assure privacy? With robust and thoughtful security. App publishers hold responsibility for app security and test security in various stages of the software development lifecycle (SDLC). The most efficient and effective method of respecting users’ privacy is developing apps with a privacy-by-design mindset. This e-book offers tips for getting started.

Take Protective Measures

We know regulators are moving towards comprehensive laws for data and privacy, and app stores and app publishers have taken important steps to assure security. But how can everyday mobile app users diligently protect themselves from potentially invasive or risky apps? Just as you secure your phone from strangers by using a passcode or biometric ID, adjustments can secure your data from cyberattackers. We as consumers should take the following steps to manage the threat of unsafe mobile apps:

  • Only download apps from safe sources. Do you recognize the names of the app developers and publishers? If the app isn’t directly linked from a safe source or is tied to an unfamiliar publisher, do an online search to assure it’s legitimate. And, check out the ratings to again confirm legitimacy and get honest feedback on the user interface (UI) and user experience (UX). If there are many complaints about the app, think twice about adding it to your phone.
  • Read agreements and privacy notifications. Does the app gather data and sell it to a third party? A safe app alerts you if, when, and what data is collected and sold (“gathered and shared”). Again, data privacy laws are limited, but legitimate apps comply with Europe’s General Data Protection Regulation (GDPR) and/or California’s Consumer Privacy Act (CCPA).
  • Be mindful of the information you share with mobile apps. If an app requires an email address or payment information, only complete required fields. Take advantage if an app lets you opt out of mailing lists or third-party data sharing. Not buying the app, or goods or services in the app? Then don’t share any financial information.
  • Use multi-factor authentication (MFA). Having an extra step in your login process is prudent for certain apps, such as those for a bank account or health insurance. For MFA, credentials must come from two of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). With apps, your mobile device falls into the ‘have’ category, requiring also something you know or something you are to access the app.
  • Restrict app access in phone settings. Oftentimes apps connect to each other, track your location, or use other invasive techniques. Only grant these app permissions if it makes sense and is absolutely necessary. For example, a public transit app doesn’t need to access your contact list, camera or microphone.

App settings can quickly be adjusted to limit excessive permissions and secure your data from cyberattackers.

Maintain Vigilance

Mobile app users can be confident that regulations are improving to assure privacy. And, app stores provide certain capabilities and rules for app developers, while app publishers are following their lead to assure security throughout an app’s SDLC. These protections are driven by users, and we must maintain vigilance to ensure a world safe from mobile apps.

Consistently adhering to the guidelines above will help to maintain momentum on this cultural shift. As an everyday app user, I care deeply about the security and privacy of my mobile apps. It’s important to me to understand if and when my personal information is collected and shared. Admittedly, much of this data has short-term value. But if we stop paying attention, and if policies do not keep pace with the market, we risk losing control of our data and privacy.