How to know if you can trust mobile apps

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

If you didn't read my previous post I recommend you to do so first and see if you can possibly improve the security on your mobile devices. Today's post is about mobile apps and why you should be careful when installing them.

Let me start with the bad news. Malicious mobile apps are often only discovered after they have been days, months or even years available for download. Even in the official app stores. Certainly Google has a bad reputation with keeping Google Play malware free. At a regular base malicous apps are discovered, and often this means that millions of users are affected or malicious apps just re-enter the store just by the authors changing their name.

It's not only Google though. Albeit to a very small extent, but also iOS has the same problem.

What can we do about it?

This sounds a bit depressing. And unfortunately we can't be 100% sure that the apps we download are malware free. But if you keep the following best practices in mind you can at least minimize the probability and impact.

1. Don't install apps you don't need

The simplest way of reducing risk is by only installing the apps you really need. To give an example, there's no need to install a flashlight app. You already have one by default on your phone. Keep in mind, your device can't get hacked or infected with malware through something you don't have.

2. If possible always install from the official play store

Whilst the app stores have their security issues, they at least have a mechanism in place to vet the apps before they get published. Apps you download from elsewhere are most likely not validated and pose a much bigger risk. So don’t download apps from outside the app stores. If you don't have another choice verify that you download from a trusted source. For instance if you want to download Fortnite which is still not available in Google Play only do so via the official website.

3. Check the app permissions

Don’t install apps that require excessive permissions. A barcode reader doesn’t need to access your contacts. Or do you really want to use the Youtube Gaming app knowing that it needs access to all this?

4. Do research about the app.

  • Don’t be misled by the number of downloads. It's not because an app has a lot of downloads that it can be trusted. There are known examples of malicious apps that have been downloaded 100 million times.
  • Search in your favorite search engine for the particular app name and creator to check whether the app is known to be malicious.
  • Read the reviews in the app store. If you find several negative reviews, don't download the app.

5. Consider installing a virus scanner (on Android devices)

On an iOS device I wouldn't install an anti virus app. First of all Apple doesn't allow to install apps that do a full system scan. This implies that virus scanning apps for iOS are rather useless. Given that the security checks Apple implements before an app is added to its App Store are very rigorous, you should be fine if you follow the best practices I've described in this post.

For Android you could consider installing anti virus software. This article explains that the risk is low.

https://gizmodo.com/do-you-need-anti-virus-apps-for-your-phone-1834085322

A low risk is still a risk. So why not installing an antivirus tool? When you do so in the same article is some good advice for you.

https://gizmodo.com/do-you-need-anti-virus-apps-for-your-phone-1834085322

If you don't know which anti virus solution to choose, this recent report can help you select.

Conclusion

Follow these tips and in case of the doubt don't install a particular app. Look for an alternative app and do the same checks. Better safe than sorry.