Should You Fully Trust Mobile Applications in the App Stores?

Don Tan, Senior Director APAC at Lookout

Tablets and smartphones enable us to have the world at our fingertips. The global smartphone market is set to continue its strong growth, and the trend for Singapore is no different. According to data from GSMA Intelligence, cellular mobile connections in Singapore this year has already reached 8.7 million, far outpacing its population as of a 2020 census. There are great opportunities, but also risks, as a result of new mobile applications becoming more readily available, and tech literacy, particularly on device security, is crucial to digital transformation.

While many of these mobile applications enrich our lives, some can be incredibly dangerous — both intentionally and unintentionally. In fact, hundreds of malicious apps are downloaded every day, containing malware and vulnerabilities that expose our most sensitive and personal data. Recently, the emergence of SharkBot — an advanced banking malware technique which is ostensibly not related to previously known Android banking malware — has set off alarm bells.

In Singapore, the official Digital Readiness Survey 2021 found that the population is generally more aware of and able to execute digital tasks compared to two years ago. However, while over 70 percent were able to complete tasks involving accessing utilities and carrying out online transactions, considerably less — 61 percent — were able to perform the tasks listed under the cybersecurity category.

Furthermore, while 78 percent had activated two-factor authentication for online accounts and 77 percent could successfully spot phishing attempts, only 67 percent in the survey had installed antivirus software in their electronic devices.

Which apps are trustworthy?

When looking at the trustworthiness of apps, you will need to consider two kinds of apps: official apps and third-party apps. Official apps are developed by the device manufacturers and are native to operating systems like iOS or Android, while third-party apps are not. It can be argued that official apps, sometimes referred to as ‘first-party apps’, are typically trustworthy.

The risks are somewhat mitigated on the Apple App Store and Google Play, thanks to checks that filter out malicious apps, keeping the actual percentage of untrustworthy apps reasonably low.

However, third-party apps downloaded from unofficial app stores with less stringent regulations are less trustworthy. For example, they can demand that users connect to another service in order to access profile details, such as connecting to a user’s Facebook. These apps yield risks by gaining access to users’ sensitive information, which can then be used to create duplicate accounts, steal identities, hack other accounts, as well as obtain sensitive images or videos.

Unfortunately, when the pandemic hit, the use of third-party apps increased as the general population became more dependent on mobile technology. Third-party apps can also be extremely appealing to users as they usually offer more features than those found on official app stores and are typically free.

At the onset of COVID-19, the Singapore government issued a security warning alerting Singaporeans to ensure they downloaded the official contact tracing app, TraceTogether. Android users were urged to install the contact tracing app only from the Google Play Store, after rogue Android application packages were found impersonating TraceTogether.

Securing the Office Environment from Malicious Apps

With the rise in malware and exploitation of vulnerabilities and permissions, mobile devices have become a hotbed for cyber activity and threaten both individuals and organisations. As many of us continue to use these devices for both personal and work purposes, mobile security becomes critical.

As organisations strive for greater productivity while empowering employees to work from wherever, whenever and with any device, IT teams are grappling to protect organisations amid a rapidly expanding threat surface– it is clear that organisations can no longer sit idly while there is a disconnect between mobile protection and their wider security strategies.

Users must begin to prioritise securing their devices personally, while organisations must focus on patching vulnerabilities, securing devices in the manufacturing stages, and keeping a close eye on the software and apps available on devices.

How to stay safe while using mobile applications

Use official app stores and apps: Where possible, only download apps from official app stores, such as the Apple App Store and the Google Play store. However, malicious third-party apps still exist in official stores. Before downloading any app, users should do their due diligence: research the app online and look for reviews from other users and other trusted sources.

Keep your device up-to-date: If a user has downloaded a malicious app, they should try to prevent any damage the app can do. Keep devices up to date regularly and restart them weekly to ensure all security updates and patches are automatically installed. Platform owners and app developers are constantly patching out vulnerabilities, which means keeping both a mobile devices’ operating system and all its apps up to date provides two barriers for extra levels of security.

Download security software: Dedicated mobile security should also be deployed to ensure no gaps are left for attackers to exploit. With breaches happening constantly, we are constantly bombarded by phishing attacks. It is advised that mobile users should download anti-phishing software that secures them from phishing attacks coming from all channels, such as SMS, email, text messages, apps and web pages.

In a hyper-connected world, devices are essential to our professional and personal lives. At the same time, the sophistication and relentlessness of cyberattacks threaten our collective digital future. To utilise the benefits and unlock the opportunities presented by digital innovations, implementing strategies to mitigate the risks is vital.