SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

How to research mobile app security

Advice says, “research the app.” But where do you start with mobile app security?

mobile app security

Most people want to keep their mobile devices secure. But how do you know the mobile app you are going to install is safe? You can’t trust the app stores. Most Android malware comes from Google’s Play Store. The good news is there are loads of articles giving advice on how to do so. Almost inevitably, one piece of advice will be, “research the app” or “research the company”. The advice is true, because you should check things like that. But rarely does the advice go into detail, because it’s hard to research mobile app security properly! We’ll show you how.

Research the app in 6 easy(ish) steps

Researching a mobile app before you install it is important. There are plenty of fake apps out there and, possibly even worse, some that work but also include unwelcome ‘things’. These ‘things’ could be intrusive ads, extensive tracking of your behaviour or even malware.

Mobile app security: Basic things to check

Whether you use Android or iOS there are some basic things you should check before you install a mobile app. We’ll go through them all below.

Annual Report 2020

1. Why do you need this app?

Maybe the clock that comes with your phone doesn’t support more than one timer at any one time (looking at you, iOS in 2021!) Or you want to make your torch do funky things. Perhaps the default file manager is too basic.

Before you install a new app take a minute to think about what you really need. It’s tempting to install apps, games and utilities that your friends and peers use. Take two minutes to think, “do I need this too?” If not, stop. If you do, carry on…

2. Who wrote it?

Do you recognise the developer? If it’s Google, Apple, Microsoft or some other large company you can feel safer than it it’s some random person.

You might not trust any of those companies, but at least you know people are watching their products carefully and they are far less likely to push malware to your phone than an individual or smaller organisation.

And if you want to use the Facebook app you absolutely cannot trust the developer, but at least you can ensure you choose the official version and not some copy with added bonus security problems!

3. What does it claim to do?

Does the app claim to do what you need? Read the reviews to see if people are satisfied or angry about the app’s abilities and stability.

You might also find that the app is subject to media scrutiny. TikTok, WhatsApp and Telegram have all made the headlines for different reasons – some good, some bad. Depending on who you are…

4. What rights does it need?

Mobile app security: Data used to track you
Why does your torch need to know where you are?

This is the juicy part. You want apps that are the least intrusive. Ideally they will only need to know the bare minimum about you. A travel app may need to know your location. A torch app, less so. Have a quick think about what you are happy sharing…

5. What rights does it ask for?

Once you know what you are happy sharing, see what the app demands. An in-car GPS will need your location, and you should be happy sharing this or else give up. Just ensure you trust the developer (see 2. above) and it doesn’t ask for any extra rights. Does it really need access to your photos?

6. Where is it available?

There are two main, official places you can download apps for your phone.

If you use Android you will probably use the apps section of the Google Play store. (The Amazon Appstore is another legitimate, but less popular alternative.)

If you use an Apple iOS or iPad device you’ll use Apple’s App Store. Unless you ‘root’ or ‘jailbreak’ your Apple device, you don’t have a choice.

You can download apps for Android from pretty much anywhere, and that is very much discouraged. The official app stores offer a level of security that isn’t perfect but is better than nothing. If you stray to strange locations to install mobile software you are at risk. Ask yourself this: if this is a good, useful and legitimate app, why isn’t it available on an official app store?

There may be good reasons, but let the developers and platforms fight their fights. Keep to the stores to keep as safe as possible, with the minimum of effort.

Sign up to our monthly business and personal security newsletters.


Google Play store information

Choose an app in the Google Play store and you will see the following information:

  1. Rating between zero and five.
  2. Number of people who have rated it.
  3. Suitable age group.
  4. Provider.
  5. Category.
  6. Various details about the file size and compatibility.
  7. In-app purchases available?
  8. Privacy details.
  9. User reviews.
  10. Various other details that don’t help us research how risky it is.
Mobile app security: Google Play store

New apps will have few reviews, low numbers of ratings and probably won’t rank on the charts. That does not mean they are terrible. Some well-reviewed apps may still be risky. You can’t judge an app based solely on user reviews. But if an app has a high rating as a result of lots of people downloading it, and it comes from a well-known developer then things start to look better.

Mobile app security: Google Play store 3
Mobile app security:  Google Play store 2
A popular torch that contains sexual content and needs full network access…

The Google Play store shows useful data about each app, including the type of content you can expect to see and what permissions it needs. Watch our for weird permissions that seem out of place. A torch app might say it requires access to your camera and to show sexual content, as in the example above, and you should at least be aware of this. A large part of assessing mobile app security is watching out for apps that offer one thing and take a lot more.


Apple App Store information

Choose an app in Apple’s App Store and you will see the following information:

  1. Rating between zero and five.
  2. Number of people who have rated it.
  3. Editors’ Award, if applicable.
  4. Chart position in its category.
  5. Suitable age group.
  6. Provider.
  7. Various details about the file size and compatibility.
  8. In-app purchases available?
  9. Privacy details.
  10. User reviews.
  11. Various other details that don’t help us research how risky it is.
Mobile app security: Apple App Store
Apple’s App Store provides clear but basic information

This is all great stuff when you need to research a mobile app. As with the Google Play store, be skeptical of new apps with few reviews, but don’t completely discount them. Popular apps might still steal or leak your data. Regular users can’t tell if that happens or not.

High ratings, known developers and personal recommendations are all positive indicators.

Privacy is critical

Mobile app security: No details provided
Don’t trust the ‘No Details Provided’ apps

It looks boring, but probably the most important part is the App Privacy section. This links to the developer’s privacy policies. Unfortunately, Apple doesn’t check that the developer does what it claims to so there’s a large element of trust here. And will you actually read those documents?

The App Privacy section also provides details about the “Data Used to Track You”. This can provide quite a frightening list.

Why would a torch application track your location, for example?

Sometimes the list is empty, which is a serious warning sign that the developer is either unprofessional or has something to hide.

Take a minute or two to check the privacy settings. They might be wrong but to ignore them would be negligent.


Mobile app security: Other things to check

You might have an anti-malware product installed. Pay attention to its opinion when you install a new app. You probably won’t see an alert of ‘malware’ if you download from an official app store but you might see ‘adware’ or ‘PUP’ (potentially unwanted application). Avoid these whenever possible.

Advanced steps for experts

Don’t root or jailbreak your device unless you ‘know what you are doing’ and are prepared to take full responsibility for your own security. If you trust the developers of apps available outside of the official app stores then you don’t know what you are doing.

If you can reverse-engineer code then review the new apps you want and be careful. Maybe consider writing your own, if you are that advanced?

Mobile app security for everyone

Life would be much easier if you could just install mobile apps with wild abandon. But you can’t and stay safe at the same time. Pay attention to the details before you install an app and restrict yourself to the minimum number of apps that you need for work and fun.

App stores are fairly good at scrutinising code for bad behaviour so relax a little. But for the best mobile security at least check out the permissions each app requires.

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press