Depending on what software is installed and data saved on it, your mobile device can be a means of accessing both private and business information — your photos, documents, passwords and much more.

In our 'Using apps securely' video, an expert from the BSI explains exactly what apps are and when they can become a security risk.

Even if you are the only person with access to your device, simply using it day to day will bring you into contact with various parties to whom you must entrust your data. Users need to trust not only the manufacturer of their device, but also the publishers and programmers of their apps. The third party involved is the operator of the network over which the data is shared. Users need to be able to trust this operator too before they start downloading apps and saving or sending data. It is not recommended to work with apps and personal data unless you can trust all these parties.

There are myriad threats associated with apps. Yes, they could pass saved data into the wrong hands, but they could also incur very large costs. Some malicious apps work in the same way as dialler malware on PCs, which was commonplace back in the days of the analogue dial-up modem. Unknown to the user, they establish expensive telephone connections or send costly, premium-rate text messages. Other types of malicious app can put the user under constant surveillance by regularly transferring location data or passwords, for example.

App security tips

Installation

• Only install apps that you really do need. Each additional app represents an additional security risk, even if the app itself is from a reputable source. Almost all software comes with vulnerabilities but with free apps in particular, you can quickly find yourself landed with potentially unwanted programs such as bogus anti-virus protection or whose dubious purpose is to display adverts.
• Only install apps from trustworthy sources — such as the default app stores and manufacturer markets provided on your smartphone.
• Check which functions the app requires permissions for. Depending on your operating system, you may be able to see even before you install an app which permissions it will have when installed. Make sure apps can only access those smartphone functions that are absolutely necessary for them to work and which make logical sense. You should be sceptical, for example, if an app for storing notes wants access to your text message function. In such cases, you should think carefully about whether you want to accept the authorisations because your options are to either confirm them all or simply not install the app. You can find further information on confirming app permissions in Android systems here.
• If you are unsure whether an app is trustworthy, a quick search online is usually a good place to start. This is a fast way to find out if an app contains malware.
• Beware of bargains: there are fake versions available of many popular apps, particularly games. The imitators offer their apps cheaper or even free, but they build malicious functions into them, or they tempt users with paid-for extra levels.

Updating

• Check whether updates are available for your apps and operating system on a regular basis and install them as soon as possible.
• You need to be careful when installing updates as well as new apps: publishers can use updates to grant additional access rights to an app you have come to trust after using it for some time. For this reason, you shouldn't update apps automatically; install the updates manually instead. Then you may be able to view the associated rights again, depending on your operating system.

Usage

• Take note of the status bar on your smartphone screen. The symbols shown there will indicate whether an app is collecting location data or enabling wireless interfaces. If GPS or Bluetooth, for example, is active and you have not activated these interfaces or used them deliberately, you should investigate the cause by checking which apps are currently active (see the next point below).
• The initial advice given here was to only install apps you really need. So, logically, you should also delete any apps you no longer use.

App authorisations for Android.

This section only relates to Google's Android operating system for mobile phones. That's because users of other systems, such as Apple's iOS or Windows, cannot confirm or deselect app authorisations individually.

How the Android protection concept works

Apps developed for the Android operating system run in a protected, isolated environment known as a sandbox. On the one hand, this sandbox offers internal protection in that your app user data cannot be accessed by unauthorised third parties. On the other hand, the sandbox principle provides external protection, so the app cannot access other user data or system services. The sandbox is opened up to the outside using authorisations (also called permissions) to perform certain functions such as exchanging data and communicating.

Authorisations

Android recognises around 160 different authorisations, which Google assigns to groups and protection levels. The groups are simply used to sort the authorisations, they tell the user nothing about security. These are some examples of groups:

• Paid services
  Allow apps to execute actions that may cost money.
• Your messages
  Read and write text messages, e-mails and other messages.
• Your personal information
  Direct access to your phone's contacts and calendar.

The protection levels are important because they indicate how critical the authorisations are.
Google distinguishes between these four levels: 1. normal; 2. dangerous; 3. signature; 4. signatureOrSystem.

Only 'normal' and 'dangerous' are relevant to you, since the authorisations associated with these levels have to be confirmed when installing an app. Of all the authorisations defined in Android, 60 have the protection level 'dangerous'.

With the protection level 'dangerous' it is possible that the authorisation in question may be used to misuse the corresponding function. Cyber criminals could therefore compromise your device and spy on your personal data, for example.

Below are two examples of authorisations (text taken from Android):

Example: Protection level 'dangerous'

Authorisation:	Call phone numbers directly
Description:	Allows apps to dial phone numbers without any input from you. Malicious apps could be responsible for unexpected calls that show up on your phone bill. However, it is not possible to dial the emergency services.
Group:	Paid services

Example: Protection level 'normal'

Authorisation:	Show network status
Description:	Allows an app to show the status of all networks.
Group:	Network communication

Selection of critical authorisations

(Source: original descriptions from Android)

The examples below show the different areas in which apps can request critical authorisations and what the associated risks are.

• Paid services

  • Send SMS:
    Allows an app to send SMS messages. Malicious apps may cost you money by sending messages without your consent.

• Your personal information

  • Read contacts:
    Allows an app to read all data about your contacts stored on your phone. Malicious apps may send your data to other people.
  • Read social stream:
    This authorisation allows an app to access and sync social updates from you and your friends. Malicious apps may use this authorisation to read private communications between you and your friends on social networks.
  • Read calendar events plus confidential information:
    Allows an app to read all calendar events stored on your phone, including those of friends or co-workers. Malicious apps may use this authorisation to extract personal information from these calendars without the owner's knowledge.
  • Precise (GPS) location:
    Access to precise location sources such as GPS on your phone (if available). Malicious apps may use this to determine where you are and may consume additional battery power.

• Network communication

  • Full network access:
    Allows an app to create network sockets.

• Hardware controls

  • Take pictures and videos:
    Allows an app to take pictures and videos with the camera. This authorisation allows the app to take pictures within the camera's field of vision at any time.

App installation

In the various app stores, the authorisations that an app requires are listed by group, along with a description. Authorisations with the protection level 'dangerous' are shown to you in full, whereas authorisations with the protection level 'normal' need to be opened by clicking 'See all'. Also when an app is installed, all 'dangerous' authorisations are listed, but you need to open the 'normal' authorisations to see them.
When you install a new app, you have to confirm the authorisations requested by the app. Android relies on an all-or-nothing approach: it is not possible to approve some app authorisations and not others. Often this will mean users confirm the requested authorisations without knowing the potential risks.

Security recommendations

The same security recommendations apply as for apps running on other operating systems. However, with Android there is more malware and potentially unwanted programs out there, not to mention more disreputable sources to obtain apps from, than for other mobile operating systems. Nor is it possible to deselect individual authorisations without cancelling the entire installation. Just one final note about the rating system on which Google relies as a 'security recommendation':

• Rating systems:
  Google relies heavily on its rating system as a 'security recommendation': the more users use an app and give it a positive rating, the more likely that the app will be genuine or that malicious content will be identified.
  Of course, this criterion is useless when it comes to assessing an app's security. However, it can be useful when combined with other criteria, at least as an indicator of whether an app is genuine. For example, the BSI is aware of an app sold for a few euros as anti-virus protection that received good ratings from users. In reality, it was totally ineffective.