During the 2019 Mobile World Congress in Barcelona, ESET unveiled a new blog named Android App Watch to help Android users protect themselves against insecure applications.
“Insecurely developed apps, those that put their users’ privacy or money at risk are a growing problem. On one hand, such apps don’t qualify as malware and thus cannot be blocked by security solutions. On the other, the risk they pose may still be severe,” says Lukáš Štefanko, the ESET security researcher driving the project.
Typical examples of security risks associated with apps that are otherwise non-malicious are in app vulnerabilities or on their back-end servers, unencrypted communications between the app and its server, leaking sensitive information and data, bypassing app protection mechanisms, remote code execution or even SQL injection.
Ultimately, insecure apps are much harder to protect, while being no less of a threat. A poll organized by ESET Researcher Lukáš Štefanko via his Twitter handle, shows that users are aware of this. Of over 3200 participants, 78% think mobile users should be more afraid of insecurely developed apps, compared to the remaining 22% who think malware is a more significant threat.
Since insecure apps cannot be blocked by security solutions, it is up to users to protect themselves. The problem is that from the user perspective, it is hard to tell an insecure app from a secure one. No clear rules apply here because apps come in too many forms and flavors to fit into simple criteria or patterns.
What can help in such a situation is a healthy level of suspicion based on general knowledge about how apps are developed, what their business models are and what the overall Android ecosystem looks like.
The primary goal for the Android App Watch blog is to provide users with information and insight in order to make the right choices about their Android apps. Besides warning users about insecure apps and bad practices in the industry, the Android App Watch is also designed to help the apps’ developers.
“Before we publish our findings, we report them to the app’s developer, along with advice on how to fix them. Then we wait for the fix and evaluate it to see if it solves the problem,” explains Lukáš Štefanko.
The ESET Android App Watch blog can be found at www.androidappwatch.eset.com