"Not all apps are created equal," says Francis Dinha, founder and CEO of OpenVPN Technologies, a securities software company.
According to some reports, between 75-80 percent of those beloved free apps on Android and iPhones were breached. It was a staggering 97 percent among some the top paid apps. Your personal, financial and banking information -- your secrets, thanks to malware, are going into the hands of hackers.
What people fail to realize, is that mobile devices are inherently insecure because they lack the same security controls that are typically found on computers and other internet-connected devices. "Mobile devices are insecure because they operate insecure platforms that offer insecure access and operate over unsecured networks. They also power many insecure mobile-apps that expose users to data leakage and losses in privacy," says Jeff Bernstein, managing director of T&M Protection Resources.
Quite frankly, "they are not designed with security in mind. They are designed for ease-of-use. Unfortunately, ease-of-use usually comes at the expense of security," says Bernstein.
How to Protect Yourself
Look for red flags. Be wary of popups and advertising messages. "Apps that consume too much storage space on your phone are a sign of malware. Apps that sound too good to be true. For example, apps providing you content like music and movies that you know would cost you money but the app is providing for ‘free’, that’s a bad sign," says Dinha.
Be mindful about granting access rights. When installing an app on a device, it’s customary for apps to ask a whole host of questions. Sometimes it’s not always clear why they need permission. Think twice if an app wants seemingly unrelated information such as access to your address book or your photo album. "Unfortunately, people routinely click through these terms without paying careful attention. Slow down post install and read each permission that you’re granting an application," says CEO and Founder of Just10 Frederick Ghahramani.
Another common attack method is to trick customers into downloading a "replica" version of the mobile application, where the app looks identical but is in fact modified to sniff data or act as a Trojan horse. "This is much more common on Android, Blackberry, Windows devices, or on ‘jailbroken’ iOs devices where it’s easier to ‘side load’ applications," warns Ghahramani. The simplest way to guard against such attacks is to ensure that all downloads originate from the official app stores, he says.
Storage can be problematic too. When transmitting information through an application, it’s not always clear or possible to know if information is being delivered in a secure manner, when using a mobile device, unlike with a normal browser, where you can see the padlock in place when surfing to an https destination. "To this end, if the banking application or payment application you’re using doesn’t effectively communicate that information is being delivered in a secure manner, it may be more prudent to just login online through the mobile web browser of your bank, or through the website’s checkout process online through a browser, where it will be more clear that information is being delivered securely," advises Ghahramani.
Ghahramani is a fan of tools like Recon, which scans your apps and tells you if they’re sharing information with third parties, or if the information they are transporting is being transported securely.
Truth is, often security breaches are caused by users doing something that they shouldn’t, like clicking a malicious link in an email or opening an email attachment. Bad habits can cost you.
To help keep scammers at bay, Bernstein offers some of what should be on your must-do list. While a password that is tough for you to remember is a pain, it’s a first good defense. Use only trusted, secure-connectivity, remove and/or terminate permissions for applications you don’t use, and regularly update the software you use.
Furthermore, check the app developer’s website before downloading. "Don’t download any apps that don’t have websites," says Dinha. "Don’t download any app that doesn’t offer encryption. You can check by browsing through their website – a secure site starts with https://."
If you don’t have the time to read all of the app disclaimers, read app reviews before downloading. "Other people may take the time to read the disclaimers or post about their experiences," says Paige Hanson, chief of identity education at LifeLock.
Finally, says Bernstein, "You must be vigilant and selective with the use of your mobile devices."