Beware of Leaky Apps

Executives of companies developing apps need to know that developers often fall short on security, a Verizon official says.
David KatzMay 6, 2015
Beware of Leaky Apps

Intrigued by the fact that his more than 70-year-old mother had begun using WhatsApp, an up-to-the-minute, cross-platform instant messaging application, Vinny Sakore googled the app and found a wiki page that seems to have amused him a great deal.

mobile appSpeaking at a session on cybersecurity for mobile apps at last week’s annual Risk and Insurance Management Society conference in New Orleans, Sakore, an assistant security officer for health insurance issues at Verizon, quoted the headline he found on that  WikiHow page: “How to Access Someone Else’s WhatsApp Account.”

Sakore drew loud laughter from the large group of corporate risk managers when he quoted the following sentences from the page: “Want to access someone else’s WhatsApp account from your phone? Here’s how to do it — but make sure to get their permission first, as you might be infringing on their privacy.”

That little warning wouldn’t serve as much protection against even the most inexperienced hacker, especially since instructions on how to hack into the app were being offered freely on the Web, suggested Sakore, who used the anecdote to make the point that mobile apps tend to be scantily defended against data theft.

“Mobile apps are great, but are they secure?” he asked rhetorically, citing a 2013 study that reportedly found that 83% of the 400 most popular free and paid apps on the iOS and Android platforms were linked to security and privacy issues.

Most apps are created by unique developers, small shops that pay a whole lot more attention to design than they do to data security, according to Sakore. In a number of tests of mobile apps, Verizon has “found out that behind the big name is a small development outfit. Most organizations don’t have mobile app developers” and tend to outsource development, he said.

“Not all of these mobile app developers follow best practices,” he added. In a security review of the app of one of the largest health-care insurance groups, “not a notorious one that’s been in the paper a lot,” Sakore said, Verizon researchers found “a really awesome feature that they would let you store your insurance card” for use during visits to health-care providers.

Although the app itself was encrypted, “when it first downloaded the insurance card, it stored it in an area of the phone that was not encrypted,” the data-security official said. “So when our researchers went in to check on the app, they found people’s insurance cards — all the information, Social Security number, group I.D. number, member I.D. number, all that stuff. That’s the danger.”

To mitigate such risks, Sakore counseled corporate executives to make sure data security is built into an app “at the conception and architecture phase, not as an add-on.”

Currently, many software developers tend to first create apps and then say “let’s make it secure,” he said. “You have to start from the ground up and think about making it secure while you’re making it.”

Sakore also advised executives at companies that are developing apps to insist that information technology specialists “encrypt, encrypt, encrypt.”

Image: Thinkstock

4 Powerful Communication Strategies for Your Next Board Meeting