App Attack!

When it comes to technology, what type of person are you? Are you the kind of person who likes to be the first in line to buy the latest and greatest technology has to offer? Or are you the type of person who likes to wait, let the technologies and competition develop, and allow the price to drop before you purchase it? Or worst case, are you the person who dreads technology? You want nothing to do with it or as little to do with it. You end up getting it because you have to use technology to interface with business anymore. Or are you somewhere in between one of these three?

I’m closer to the second category in that I am never the first in line to buy the latest and greatest, nor do I avoid technology. I started in the information technology business and migrated to the information security business.  Because I worked in a classified area for the last part of my military career, I was pretty late to the smartphone market. I couldn’t use it during the twelve hours a day I spent in the Pentagon. When I left work, the last thing I wanted to do was spend time on a phone.

Now that I’m out of the military and advising clients on information security. I’m much more in touch with the continual technology changes, and wow, is it tough to keep track. Welcome to the era of everything as a service, and every service requires an application or app – primarily a smartphone app. I contend I may be even more deliberate in making a technology change, especially when it comes to smartphone apps, because of the security concerns.

Smartphones allow for an endless litany of apps, and apps are software that can carry vulnerabilities to malware and viruses. I purchased my first smartphone in 2016 and upgraded it in 2020. When I upgraded, I was determined only to add essential apps. I have a net gain of twenty-one (21) crucial apps in twenty-four months. Trust me when I say they are all essential: eight for business-related IT, five for health & fitness, four for travel, three for finances, and one for subscription news. Well, maybe they are all essential. I need to know the best-rated places to dine locally when I travel.

I have eschewed airline apps and social media apps. I can have my tickets emailed to me and use the browser for SM even if it is least preferred. Likewise, I can read free news via a browser. Besides, isn’t the idea not to have our faces stuck inside our phones?

Recently, a good friend and colleague of mine whom I met over twenty years ago with whom I started my transition from IT to Information Security lamented, “Why are apps being forced on us? I’m getting perturbed at the endless; I need the app to do x. I want to go to a ball game; I need an app. For [gosh] sake, I need an app to get into [my organization’s] new entry control gate. I don’t know if anyone vetted these apps. What if you don’t have a smartphone or a smartphone other than iOS or Android OS?”

I can relate to that. In December, I attended a college football game that likely had several senior government officials attending. Within my group, one person had to purchase six e-tickets and then share them with others via an app. Each person or subgroup had to download the app if they wanted an electronic copy of the ticket. We all had to enter the arena simultaneously so the one ticket holder could swipe through the e-tickets—less than convenient.

Who wrote the app code? Who assured the app was secure or that it didn’t already have malware or virus in it? After all, most off-the-shelf free apps are written with open-source or shared code. Governments of all levels like to host conferences and coordinate the agenda and events via a unique app for that conference. Not to put any crazy ideas in the bad guy’s head, but if one knew that the event would be attended by senior US government officials and their families, why wouldn’t a malicious actor…well, you get the picture.

My friend continued, “if my phone is hacked and I lose the security code, who is responsible? Me, the app developer, or the organization that made me use the app?”

If a bad actor breaches the security gate, I guess that would be on the organization that forced him to use the app. But what if malware on the app leads to my friend’s personal email being breached or, worse, his online banking app breached? I doubt the organization that insisted he use their security app will step up on those.

Let’s face it. Society is schizophrenic about this whole smartphone technology and cyber security situation. We want to have our technology, and we say we should be safe at the same time. But, how often do we take the time to screen and determine whether or not the app that we are loading is safely made? How often do organizations stop and think of the demand to have users/customers install an app?

Every month, I see another prominent medical report admitting that Americans of all ages are spending too much time on their electronic devices, leading to more stress and a deterioration of clear and critical thinking. A recent Forbes article stated that over 90% of users dislike adding apps and are likely to take out their frustrations on the requesting vendor.

Meanwhile, society demands a green environment which would require us to use less energy. We can’t use less energy if we always must maintain a charged phone to utilize a litany of apps and access 5G networks.

So, here are a few recommendations on installing apps.

  1. Beware of anything free.
  2. Search for app reviews, especially of free apps, before installing them. Business Insider has thorough reviews of many apps by category. Apps like Avast anti-virus and Signal messaging app are free and have good security reviews. Large corporations should have the resources to ensure their apps have a security review but don’t take that for granted.
  3. If you download an app, ensure you enable automatic updates for that app to maintain the current software.
  4. If you must use an app for a specific event, delete it after the event immediately—no sense in leaving your attack surface open to a future vulnerability.
  5. If you think an app is superfluous or not helpful to the operation, inform the requiring vendor or organization that you don’t support it. They won’t change without feedback.
  6. If you are a vendor or organization who wants to develop an app, do your marketing research to see how your users will react to using it to do business with you.
  7. Suppose you are a vendor or organization that determines it needs to deploy an app to its users. In that case, you have an ethical responsibility to your customers and members to ensure it passes and maintains secure coding standards for the app’s lifetime.

That’s all I have for now. Thanks for taking the time to read a rant about apps. I hope you found my first endeavor on the Loyalty Alliance helpful.

If nothing else, I and my friend feel better, but don’t get me started on the QR codes 😉