How to Choose Secure Smartphone Applications?

Users have been increasingly depending on smartphone applications to get their daily tasks done. For years, the spread and the scale of the applications have been widening to the point that smartphones are being used more often than desktops. Smartphones are no longer limited to connecting people.

With the spread of privacy violation practices by companies and governments; hackers targeting smartphone users; and using fake applications to trick and hack users, Masaar – Technology and Law Community presents this article to give some advice to rely on while choosing smartphone applications.

1. Download Your Applications From Credible Sources Only

All smartphones enable users to download applications from places outside their official stores, by downloading them from websites and then installing them on the phone. It’s never recommended to rely on this method, as most of the stores offer some precautions measures related to the safety of the applicationـــ and applications are subject to these measures prior to becoming available for users in stores.

If you download an application from non-credible sources, it might have malware/be fake. Some hackers use applications that are similar to the famous ones, so that they can inject malware into the users’ devices.

Relying on official stores, such as Google Play and App Store; or other open credible stores, such as F-Droid, can have applications containing malware/violating the privacy of users. However, relying on credible sources grants some primary important security measures that protect the safety and privacy of users ـــ given the precautions measures adopted by these stores.

2. Be Careful When It Comes to Permissions

When applications are downloaded on smartphones, whether their operating systems are Android or iOS, the application system asks the user’s permission to use the resources of the device (for instance: camera, location, SMS, contacts… etc). The user must be careful when it comes to permissions needed for the application to be downloaded, regardless of the application source. The user can follow two rules to deal with this:

One: Are These Permissions Really Necessary?

If we are downloading an application with a simple function, such as the flashlight function, and the application asks permission to access photos; contacts; or SMS, this means that the application is collecting data violating the privacy of users. What does an application with such a function need an access to contacts or SMS for! However, if we’re downloading chat applications, it’s normal for the applications to ask permission to access the camera to make video calls.

Two: Can Permissions be Controlled?

Smartphone operating systems have been recently enabling users to control application-given permissions. This feature is very important when it comes to protecting the privacy and security of users. This function can be relied on, in order to limit the permissions, and the amount of data and information used by applications. For example, some famous chatting applications ask permission to access location in order to activate the sharing location function that can be used with the user’s contacts. However, this permission can be deactivatedــــ it can be activated only when users want to share the location with one of their contacts. The same goes for other permissions, like giving chatting applications access to the camera; only when you’re taking and sending one of your contacts a photo, or when you’re making a video call.

3. Open-source Application Preferred

Not all the applications that are available for smartphones are open source. However, open source applications used to perform the most major tasks needed by users can be found. For example, we can easily find open source chatting applications for texting, and making voice and video calls. We can also find text files editing applications, photo and video editing applications, file sharing applications… etc.

Choosing open source applications provides a considerable amount of security and protection of privacy, as these applications can be reviewed by programmers and digital security experts. Consequently, security issues can be discovered faster in comparison to other softwares. Don’t think you not being a programmer will make you unable to benefit from open source. Even if you can’t read and understand codes, there’s someone else who can do that; and there are thousands of programmers who can review open software source codes, and write reviews that get published on the internet. You can look for reviews on any software or mobile phone application on the internet, and you will find tens of reviews on the security and privacy of any application you want.

At this point, we can also look more intently into how open the application is, and therefore we can put and answer a series of questions and standards. If the application is entirely open, it means that its functions are done through open source softwares. This includes the following:

  • The final application, used by users, is open source.
  • The application’s infrastructure is open source, including softwares and systems operating the application’s servers.
  • Code libraries used by servers and the final application are open source.
  • The encryption standards, on which the application relies, are open source.

Users can easily rely on the information published on the website of the application in question, for getting the above-mentioned information. They can also get this information from the many reviews provided by users, programmers, and digital security companies. This can all be easily found on the internet.

4. Encryption-Using Softwares Are the Best

The encryption process in smartphone applications is very important when it comes to the privacy and security of users, and is applied on large groups of application areas. At this point, we can mention a set of standards users can rely on, to determine how effective the encryption of the application, they’re downloading and using, is:

  • Is the encryption protocol an open source? As we’ve previously mentioned, the priority is for open source applications. Therefore, the encryption protocol must also be open source so that it can be reviewed by programmers and security experts, who can then be able to discover any failures or gaps in the protocol.
  • Which encryption protocol the application is using? There are many encryption protocols, most important of which is end-to-end encryption. If we’re looking for a software, through which we can chat or share files with other parties, the end-to-end encryption will provide users with many functions, most important of which is preventing the application-developing company from knowing the content of exchanged messages of files.
  • Does data exchanged between users and application-operating servers get encrypted? So often, data is exchanged between users and application-operating servers, and therefore data must be encrypted while being transferred from the user to the server and vice versa. This feature is very important when it comes to protecting the security and privacy of users, especially in the face of man-in-the-middle sort of hacks.
  • Does data about your application get encrypted on your phone or on the servers of the application-developing company? Most applications save data and information on the user’s phone or the company’s servers. Therefore, this data will be easily obtainable and at risk, in case the company’s servers were hacked or your phone was stolen.

Users can find answers to these questions, by searching the internet for security reviews about the wanted-to-be-used applications. Usually, users find a lot of available information about the applicationsـــ especially the famous ones.

5. How application-developing companies handle user’s data

Applications collect a huge amount of data and information on users, and this is one of the biggest issues mobile phone users face in relation to protecting their privacy and digital security.

We find that most famous applications and games made for smartphones collect a huge amount of data that get reused and analysed by application-developing companies or third parties, with which the data is shared in order to reuse and anaylse this data, for purposes related to targeting-advertising or trading with companies working in the field of data analysis. So often, companies even share this data with governments as well.

Within that context, users must compare between applications doing the same job. They can choose the applications that collect the least amount of data; the application-developing company that’s transparent in announcing the mechanisms, through which they handle and share the user’s data with third parties. Most likely, we will find various options of softwares providing some privacy protection and digital security for users.

6. Application-Policy Transparency

When we search for an application providing a certain service, in most cases, we will find terms of use and a privacy policy. These policies clarify many things, among of which are how the application-developing company handles the data collected on users; whether user’s data is shared with third parties; application-subjected legal limits that can affect the privacy of users; how transparent the application-developing company is about disclosing any security breaches in the application or servers operating the application; or transparency in announcing data leaks if they happen.

We must take these policies very seriously ــــ we need to read them, along with new updates. We can also use reviews provided by technology websites interested in security and privacy that will provide a lot of information that, in turn, will make it easy for us to understand these policies.

7. Application Security Reviews

Many companies, experts, and research centers specialised in digital security make reviews on applications and services; and issue reports explaining whether there’s a security weakness within the application’s structure, and warnings for users about security gaps that can be used by attackers. We recommend users to look for security reviews that have been made on the wanted-to-be-used applications, and they will find many reviewsــــ especially on the famous ones.

8. How Far Employees Are Authorised to Access Users’ Data

This is one of the main reasons behind users’ data leaks. There are many incidents, published on news websites interested in technology, about employees causing data leaks ـــــ either deliberately or due to lacking enough technical skills related to digital security. Therefore, we must give priority to applications not giving its staff access to users’ data.

9. Frequency of Updates

Users must always update their applications, regularly and quickly. Updates are either made to add new functions and features to the application, or to fix security issues within the application.

Therefore, we must avoid applications that make only a few updates or that haven’t been updated in a long time; as this indicates the company’s or the application developer’s lack of interest in updating the security aspects. Updates are not only for the application itself, but also for the infrastructure operating the application and the servers’ operating systems, on which it relies.

10. Third Party Role and Credibility

Smartphone application-development companies rely on other companies (third parties) to perform some tasks that include, but are not limited to, data analysis; advertising; or operating servers. Privacy and security of users can be affected if third parties don’t respect privacy; carelessly handle users’ data; or are subjected to countries violating privacy.

Therefore, users must know which data is shared with third parties; and the policies, by which third parties handle users’ data. And this can be achieved by searching the internet for reviews made on applications, or by reviewing policies published on the websites of third parties.

11. Laws, to Which the Application-Owning Company Is Subject

Laws regulating the Information and Communications Technology (ICT) sector affect the privacy and security provided by applications. Laws, in some countries, force companies to share users’ data with their security agencies. Some other countries ban encryption layers. Therefore, users must completely stay away from applications subjected to countries known for their disrespect for privacy, like China for example.

12. Look Into the Reputation of the Developing Company

News about tech companies developing smartphone applications are all over online websites, and we can always check the news published about the application-developing company in order to get a general idea about the company’s reputation.

Accordingly, we can ـــ for example, but not limited to ـــ avoid applications developed by companies found to be involved in violating the privacy of users; to have carelessly handled the security technicalities of their applications and services; or to have been involved in sharing data with third parties without getting the users’ approval.

13. Finally, Delete Unused Applications

Smartphones are usually filled with unused applications. We recommend deleting any application that we don’t constantly use, or that we have already stopped using, as most of these applications collect data on users even if they’re not used. Having these applications also increases the chances data gets leaked: the less used applications are, the less chances data gets leaked and collected are, and the less security gaps exist.