During the 2019 Mobile World Congress in Barcelona, ESET unveiled a new blog named Android App Watch to help Android users protect themselves against insecure applications.
“Insecurely developed apps, those that put their users’ privacy or money at risk are a growing problem. On one hand, such apps don’t qualify as malware and thus cannot be blocked by security solutions. On the other, the risk they pose may still be severe,” says Lukáš Štefanko, the ESET security researcher driving the project.
Typical examples of security risks associated with apps that are otherwise non-malicious are in app vulnerabilities or on their back-end servers, unencrypted communications between the app and its server, leaking sensitive information and data, bypassing app protection mechanisms, remote code execution or even SQL injection.
Ultimately, insecure apps are much harder to protect, while being no less of a threat. A poll organized by ESET Researcher Lukáš Štefanko via his Twitter handle, shows that users are aware of this. Of over 3200 participants, 78% think mobile users should be more afraid of insecurely developed apps, compared to the remaining 22% who think malware is a more significant threat.
Since insecure apps cannot be blocked by security solutions, it is up to users to protect themselves. The problem is that from the user perspective, it is hard to tell an insecure app from a secure one. No clear rules apply here because apps come in too many forms and flavors to fit into simple criteria or patterns.
What can help in such a situation is a healthy level of suspicion based on general knowledge about how apps are developed, what their business models are and what the overall Android ecosystem looks like.
The primary goal for the Android App Watch blog is to provide users with information and insight in order to make the right choices about their Android apps. Besides warning users about insecure apps and bad practices in the industry, the Android App Watch is also designed to help the apps’ developers.
“Before we publish our findings, we report them to the app’s developer, along with advice on how to fix them. Then we wait for the fix and evaluate it to see if it solves the problem,” explains Lukáš Štefanko.
The ESET Android App Watch blog can be found at ESET unveiled a new blog named Android App Watch to help Android users protect themselves against insecure applications www.androidappwatch.eset.com
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.