Lesson 4: Apps, apps, and more apps!

I keep hearing about apps. Apps for this. Apps for that. Seems like there’s an app for almost everything! But what actually are apps? Are they safe? And where can I download them from?”

Depending on your smartphone or tablet of choice, you’ll most likely want to hook it up to the Internet and download as many apps as you can as soon as you’ve powered it up. What’s a smartphone without apps, after all?

But wait just a moment – how do you know that the apps you’re after are safe to download?

Apps 101

Let’s get to grips with what an app actually is. First, let’s get this straight. Apps are nothing new. Google’s successful Apps suite of online services which include webmail, calendars, etc. first saw the light of day in 2002. However lately, the term has been hijacked by Apple’s marketing machine and has become synonymous with the programs that run on Apple’s iPhone, iPad, and iPod touch. When we refer to apps in this eBook, we mean mobile apps in general. In other words, we’re referring to apps that run on a wide variety of smartphones and tablet devices and not specifically iPhone apps.

Put simply, an app is a smartphone or tablet application that does something. As the shortened name implies, apps typically have less functionality than the ‘grown up’ applications that run on desktop computers or laptops. For example, an email app running on a smartphone might allow you to send and receive email (as you might expect) and even create folders so that you can move and organize your mail neatly, but it probably won’t provide you with the advanced features found in a desktop email application such as rules and smart folders which enable you to organize your mail to an even greater degree.

So apps usually take the form of ‘cut down’ versions of the more mature desktop applications.



What types of apps are there?

There is a wide, and growing, spectrum of apps available. Some apps are pretty cool, some are pretty useful, and some are pretty useless (unless ‘farting’ apps are a must-have for you). Some apps are just pretty. And, of course, some apps have been hit with the ugly stick. But mixed among them are apps that are out to get your data, snoop in your private affairs, and generally stick their digital noses where they have no business sticking them.

For example a while back a programmer produced an app that promised to give the user an exclusive sneak peek at the (as yet unreleased) latest Twilight movie. (For those of you who have been living in a cave recently, Twilight is an extremely successful series of vampire novels that have been turned into movies). Understandably, many Android users rushed to download the app in order to get the exclusives on the new movie before anyone else. Unfortunately for them, the app wasn’t all that it seemed; after being installed, the app would send the user’s contact details to an address on the Internet where the programmer was then able to retrieve it. Contact information is a mine of useful data for identity thieves – by viewing the contacts of a business user for example, they can see prospective and current clients, suppliers and other sensitive data.

Now – during the installation of that app, it requested access to the user’s contacts. Alarm bells should have started ringing for the users at that time; why would the app need to have access to the contact details of their friends and relatives? For the ones who decided to decline the application’s request to access their contacts their information was safe.

However, for the others who chose to grant the app the permissions that it requested, they may as well have said goodbye to their data as the app was then able to send this information to the developer as soon as it was launched.

Being smart in your choice of apps and the way in which you use them will pay dividends. Being ignorant in your choice of apps and the way in which you use them will also pay dividends! Unfortunately, those dividends won’t be for you; the individuals who write these apps are the ones that will benefit, mainly at your cost.

There are a lot of apps available in a lot of different genres. Here are some of the more popular types:

These are just top-level categories to give you an example; there are many more sub-categories available, all crammed with apps. But notice none of the categories are called Bad or Dangerous. (And no, I'm not referring to Michael Jackson albums here). App stores typically list and organise the apps they sell via these top-level categories.

What’s an App store?

Before Apple introduced the iPhone back in 2007, the concept of an App store as we know it today didn’t really exist. Prior to the iPhone, if you had a smartphone and you wanted to install a program onto it, you had to visit the software developer’s website, purchase the program, download it to your computer, and then transfer it to your device. Because App Stores provide a central place to obtain your apps from, they’re a good thing. From a security point of view, App stores generally give you the following:

Users download a lot of apps – for example, in early December 2011, the Android store reached the milestone of 10 billion downloads. Apple, announced 15 billion downloads in July 2011 – staggering amounts. Amazingly, the pace is increasing and by the second half of 2012, Android is expected to have overtaken iOS in terms of app downloads.

Reviews

To re-iterate the point made above, before you download and install an app, it’s a good idea to see if that app has any reviews and then make your decision based on them. Reviews are typically performed by people who have purchased the app so in most instances they are extremely useful. In fact, reviews are probably the single most important indicator when it comes to deciding what app you’re going to put on your device next. Not only will reviews tell you if the app you’re planning on downloading stinks, many will highlight any security concerns that the app may have.

Should I only get apps from an App store?

This will depend on your smartphone or tablet. But in a word, yes. Apps that you install to your device should always come from trusted sources and App stores are a good bet because many of the apps on the store have been through a vetting process. Following on from the success of Apple’s App store for its iPhone and other iOS devices, (iPod touch and iPad), many other companies have created their own App stores through which users of their devices can purchase apps. For example, Google have the Android Market which allows users of Android OS devices to obtain apps, Palm have the App Catalog, Microsoft has the Windows Marketplace, RIM has the BlackBerry App World, etc.

All smartphone or tablet vendors want their users to have a great experience while using their devices, and so the vendors try as much as possible to ensure that their App stores are easy to use and, more importantly, safe. This means that in most situations, the apps that you download will be safe. Note that I say most situations. More on this later.

The concept of an App store where users can easily obtain apps is, therefore, well proven and established so it makes sense that you should purchase your apps from an App store. Indeed, with some platforms, the App store is the only officially sanctioned way to get apps onto your device.

For example, Apple’s App store app comes pre-installed on every single iPhone, iPod touch or iPad sold by the company and is the officially sanctioned way of getting apps onto one of these devices (the App Store can also be accessed via iTunes running on a Mac or PC).

What’s a web app?

There are two main types of app: Web apps and Native apps.

Native apps are the types we’ve mentioned above and are the most common type. A native app is an app that has been written specifically to run on a particular device. For example, a native iPhone app will only run on an iPhone - if you attempt to run it on another device it simply won’t work. With a native app, the app is downloaded and stored permanently on the device, meaning that it’s available for use at all times – even if there is no Internet connectivity.

Web apps are different. A web app is not downloaded or stored on the device, meaning that without an Internet connection, it is not possible to run the app.

Web apps are essentially websites which have been designed to mimic, or emulate, a native app in look and feel. As the web app is really a website, whenever you want to run the web app, you access it via the web browser on the device. An advantage of this approach is that most smartphones or tablets can access the web app, regardless of the OS, hardware, or firmware being used on the particular device.

A disadvantage is that many attacks carried out on users are achieved through bad websites. The bad guys set up a website which looks for weak spots in the user’s browser, so when the user browses to the site, code is executed that tries to find ‘exploits’ or ways that the bad guys can access data on your device without you knowing.

In addition, the bad guys can ‘compromise’ a legitimate site. That is, they will hack the website and install their programs without the website owner realising. Again, when a user browses to the website, the bad guys’ code is run in an attempt to gain access to the computer browsing the website. Some users may suspect something is wrong and try to browse to another site – but nine times out of ten the damage has already been some and the device is already compromised

As a web app is simply a website, so be aware that they can also be compromised in this way. If the website has an official native app, use that instead of the web app to minimise the potential of your device being compromised.

Malicious Apps

In addition to the native apps and web apps described above, the bad guys have found that they can pedal bad native apps with surprising ease. These bad (or malicious) apps typically take the form of a Trojan horse. A Trojan horse is, like the ancient Greek fable, something that purports to do one thing when, in reality, it aims to do something completely different. For example, a Trojan app may appear to be game and, when downloaded, it may actually provide you with a basic game experience. As the experience will very likely be poor, you’ll remove the game shortly after and subsequently think little of it.

However, unknown to you, the Trojan code will have already been run and performed a number of different actions. For example:

It goes without saying then that malicious apps – known collectively as ‘malware’ - are precisely the types of app that you do not want installed on your smartphone. Some malware even has the ability to remotely control your device – enabling the camera or turning on the microphone in order to take pictures or listen to your conversations. Commercial software is now available that allows hackers to quickly and easily monitor your phone conversations as well as your email conversations, read your messages, and even determine the room you are sitting in. And in most situations, you won’t even know it’s installed.

Worryingly, in the first half of 2011 malware on smartphones rose by over 30 percent. However as most computer security experts will tell you, the average user is oblivious to this fact and simply isn’t concerned by smartphone malware and their threats, mainly because they have no idea what malware is and what it can do.

Droid Dream

In March 2011, the bad guys uploaded 21 different malicious apps to Google’s Android store. Over the next four days, those malicious apps were downloaded by unsuspecting users over 50,000 times!

The apps contained a Trojan that stole personal information from the user’s phone such as their credit card info and address contact details. In addition, the app installed other malicious apps onto the user’s phone without them knowing. This attack – known as the ‘Droid Dream attack’ - left many users exposed to identity, as well as financial, theft.

The Droid Dream attack is just one example of a malware attack on smartphones. This type of attack is on the increase and will only get worse in 2012 and beyond.

The Big Red Button

Apple came in for some criticism when they announced that they were implementing a "Big Red Button" for apps sold on their App store.

Essentially, this meant that they had the power to remotely remove any dodgy apps from everyone’s iPhone, iPod touch, and iPad, whenever they felt a need to. The idea being that if the bad guys managed to upload a malicious app to the App store and users managed to download it, Apple would be able to automatically remove the app from every iPhone/iPod touch/iPad that had installed it the next time that device went online.

Critics cried foul and stated that Apple was taking things a bit too far with this ability to remotely wipe apps that the user had paid for.

However, security-aware folk applauded the decision as it showed that Apple had thought seriously about security on the iPhone. But not only had they thought seriously about it, they had decided to implement an elegant solution to a potentially serious problem.

Google implemented a similar Big Red Button that, too, gave them the ability to remotely kill any errant apps that decided to do dodgy things on their user’s Android device, and they were forced to use this feature after the Droid Dream attack took place – the app was automatically removed from any Android devices the next time those devices went online helping to minimize the effects of the attack.

What not to do: