Today, there is an app for virtually everything you can think of, and they’re freely available, from any device that has a Web browser. Not only that, but many of them are free, and are maintained remotely by the developer, removing any hassle from the user.
However, too often, apps do a lot more than they advertise, often infecting the user with malware, that can steal information, login details, or take over the device.
Simon Campbell-Young, CEO of Phoenix Distribution, says app users should bear in mind that apps are complete programmes that run within your devices and often rely on Web technologies such as Adobe Flash or Java, both of which have been exploited countless times by threat authors.
“Moreover, although apps are useful and increase functionality, they can penetrate deep into the device’s system, and this shouldn’t be ignored. Never underestimate cyber thieves. They are cunning, talented and innovative. They continually find new ways to bypass security controls, and infect users.”
He advises all app users to view unknown, untrusted or obscure Web sites with suspicion.
“Always keep an eye out for a site that appears legit, but might have a spelling mistake, or missing or added letter in the URL.”
When downloading apps, he says there are several steps a user should take. Look for and read any review on the app that might be out there. Never download an app sight unseen. A sampling of recent reviews will give you an idea of any concerns other users may have, and alert you to any unusual behaviour that other users of the app have noted.
“In addition, take a look at who developed the apps. Most apps come from individuals and developers. Take a look and see what if anything that developer has published before, and what the feedback around those apps have been.”
Finally, always review the permissions. Not every third-party source of apps is dangerous, but the odds are much higher, he says. Some platforms, such as Android will clearly show what permissions a particular app requests before download. Any unusual permission requests should raise the alarm. For example, why should an app want to access your contacts?
He says with iOS, the case is different. iOS users have to jailbreak their devices in order to install apps that aren’t approved by Apple.
“Anyone who has gone that far, I would assume would be fully cognisant of the associated risks.”
Ultimately, says Campbell-Young, being a little ‘online savvy’ goes a long way.
“Threat authors aren’t necessarily looking for a challenge, they are merely exploiting the platforms that offer up the largest number of potential targets, and the ones that are the easiest to exploit. Being aware that there are threats out there, and using a little common sense, is the first step.”
“When in doubt, don’t click on a link. This one tip would go an enormous way towards preventing infection, but as simple as it sounds, users will click on practically anything. Particularly if they are getting something for free, or wanting to view salacious content. It is hard to protect people from themselves sometimes.”
However, since most users will at some point fall foul of a suspect link, the best defence is making sure your devices are protected with the most up-to-date anti-malware protection.
“A good AV product will have updated signature lists, and will be able to pick up on suspicious behaviour, and block threats before they infect the device.”
“Enabling automatic updates for all software that offers this, is also a good idea,” he says. “Failing that, apply new updates as soon as they are released, and always patch when patches are released.”
This is particularly true of the Web browser, says Campbell-Young.
“Most browsers today have added security measures to protect their users, from phishing, and other Web-based attacks. However, an old browser will defend only against old threats, so make sure this is updated whenever possible. An added layer of security is using https in the URL, which indicates secure browsing, and once in a secure site, don’t open any other tabs within the browser that don’t also use https.”
He adds that plug-ins and add-ons for browsers should also be viewed with suspicion.
“Although they doubtlessly extend the browser’s functionality, they often contain vulnerabilities that malware can exploit. Only use these from vendors that you know can be trusted.”
It is only through understanding what the risks are, particularly in light of the myriad devices we now use to connect to the Web, that we can defend against malicious apps. “Here, a little common sense will always go a long way. If something is suspicious, or seems too good to be true, chances are, it is,” Campbell-Young concludes.