Apps vs Oranges and the Occasional Bad Banana

The fruit section at our grocery store generally is doing their best to keep fresh and tasty produce in stock.  However, there are occasions where some not-so-good items end up on the shelves.  So while we may be willing to almost blindly restock our cart with another box of Raisin Bran without looking, we scrutinize our fruit and vegetables when we shop for them.  We look over them for bruises, we feel them for the correct softness, and we smell them for the scent of freshness.

I think the app stores are doing the best they can too.  But apps are like the fruit section.  In contrast with the traditional shrink-wrap software markets where only the most reputable products ever got to store shelves, readily downloadable apps and the developing array of alternative markets operate on a different paradigm.  This leaves us, the wary users, to be on guard for that occasional bad banana, the bruised orange, or the smelly batch of peaches that get through.

The DroidDream series of Trojans are but one example of bad bananas that leaked through the system.  More recently, we are finding GGTracker to be an evolving menace.  How do we protect ourselves?  Here are 9 APPlicable things to consider:

  1. Use Reputable App Stores — Some stores manage their inventory better than others.  There is some vetting of apps in reputable app stores.  If malicious or poor quality apps are found, a reputable store will remove the app from the shelf and/or compel the creator to fix the problem.  The official app stores usually have the capability to help remove malicious apps from devices, which can be an important part of rapid mitigation of serious threats.  If you elect to bypass official app stores (a la jailbreak your device), be aware you are on your own.  This is akin to buying your fruit from a street-side stand.  The product may be very good, but you may not have the benefits of health inspectors.  You won’t know what chemicals have been used or other hidden secrets might exist in the product.
  2. Only Load Apps that you Need — Any app presents risks to your information and the app may have bugs that place your device at risk.   The app may perform functions that you don’t expect.  Only load apps that you expect will provide real value to you and offset the risks.
  3. Look at the Reviews – Look at the low ranking reviews as well as the high reviews.  This is the way to find the bruised peaches among the crowd of attractive looking apps.
  4. Free Apps Probably are not “free” —  The creators want to monetize their efforts.  As with social media, app creators are trying to strike that balance between valuable and lucrative.  Make sure you have at least a notional understanding of how this app is making money for the creators.
    • There are some basic models:
      • Promote other products, upgrades, or subscription services
      • Ad supported
      • Charge for the app
      • Sell your information including the actions you perform with the app.  None of these are exclusive of another.  You should expect at least one of these mechanisms is in use.
  5. Scrutinize the Permissions – If an app asks for access to your contact list, location, and other attributes, ask yourself why?  If there is no logical explanation that satisfies you, don’t allow.
  6. Contribute to the App Reviews –  Looking at the reviews will be of little value if users have not provided valuable feedback.  If an app is not providing the value you expect, then make sure others know about it.
  7. Run Anti-Malware Protection on your Device –  Running anti-malware is particularly important if you are going to use side-loaded or alternative market apps that may not be scrutinized as well or there may be no method to pull the app if it is found to have malicious intent.
  8. Keep your Apps up to Date – Updating apps has become much easier than it used to be.  Take a moment and help assure your apps are up to date, which should patch any discovered vulnerabilities.
  9. Clean House – Even apps that have not been used can be running in the background on your device.  They may be performing functions that you don’t know about or want.  If you are not using it, remove it.

Most of this is pretty much common sense.  It is not nearly as complex as selecting that extra sweet melon from the pile.

What steps are you taking to help ensure that your apps are safe, functional and helpful?  What are some of the best apps you’re using and would recommend?  Share your insights with others and then read what they are using by posting your comment below.  We look forward to hearing from you.

Brian Rexroad Executive Director of Threat Analytics AT&T About Brian