How Can You Tell if an App is Secure?

In our business, the process of figuring out if an app is secure is called a risk assessment.

This blog explains how to do a quick risk assessment on an app in the app store or one that you’ve downloaded on your phone.

It can be tempting to just install an app, but it is best practice to do a quick risk assessment to make sure that the app you are trying to install is secure.

To start, here are some questions you can ask about the app:

• What is the publish date? How old is the app?
• Does the developer have a website?
• Where is the developer based?
• Do they have other apps that they make? (You can usually tell a scummy app factory by the other apps they put out. If the apps are random, or if they aren’t high quality, they probably aren’t secure.)
• What data does this app collect? Do I feel comfortable giving the app my personal information?
• What type of data are they storing?
• How are they storing it? Is it encrypted?
• What do they do with the data?
• Can I opt out of sending my data to their cloud?
• Can you remove your phone number after registering?
• What information do they need to begin with or to start the app?
• What can you opt out of and how complicated is it to opt out?
• Are there reviews? And are these reviews fake?

After going through these initial screening questions, I recommend reading through the privacy policy. This can be a challenge for a lot of people because it can be difficult to read the language and be boring. But this is an important step because this is where they tell you what they are doing with the app.

If you notice vague language or if you have questions that are unanswered, this can be an indicator that the app or your data may not be stored securely.

For example, in one privacy policy statement that I read, they said that they would store my data in an encrypted format. However, they didn’t tell me where they would store it. On a database? In the cloud? What is the level of encryption?

A good caveat to be aware of with installing apps is that it can be difficult to get your data deleted. Just because you delete the app doesn’t mean that your data has been deleted. Often, you must contact the owner of the app and ask them to delete your account. Otherwise, your information is still out there.

If you don’t feel confident reading through the legal jargon in privacy policies, you can use other tools or services to help you determine if an app is safe. The website, “Terms of Service Didn’t Read” is one such tool that can be helpful. This site summarizes the terms and conditions within privacy policies and explains them simply so that they can be more easily understood.

Another great resource is Qualys. They do a good job at evaluating how companies are doing encryption.

Exodus can be used to evaluate android apps. It can tell you things like what libraries are included for tracking analytics and advertising. It will highlight or flag permissions that seem overly broad. Exodus will tell you all types of information that can assist you in determining whether an app is secure.

Conclusion

In conclusion, one of the best questions to ask yourself is, do you need the app? Or can you use a web browser? Or pen and paper? Being selective about the apps you download and how many you download is one of the best ways to protect your data and stay secure.

Krebs on Security, a fantastic security researcher, gives this advice: If you didn’t go looking for it, don’t install it! If you installed it, you need to update it. If you no longer need it, remove it.

If you enjoyed this blog, we recommend subscribing to our news podcast where we give you the latest news as well as practical advice and solutions to common security problems.