Security in the age of smartphone apps

Information security threats can be classified into three key types: confidentiality—end point threats, which most companies focus on solving; availability—denial of service threat, similar to the recent power grid outage in Ukraine and Israel; and integrity—assessment of compromise of network, systems, software and data, and identification of unauthorized elements on the network.

The cybersecurity industry is highly focused on the confidentiality threat, and most of the solutions available in the industry currently target solving this threat by “encrypting everything”. The other two types of threats do not get the attention needed.

While there are sophisticated technology-based security breaches at the enterprise level, the technology that is fast proliferating into the consumer space, such as smartphones, also has potential vulnerabilities. In the domain of smartphone apps, banking and payment apps have the personal banking and financial details of the user linked to them and hence the device needs to be fortified against potential security breaches, data leaks, misuse and loss of money.

From a potential security threat perspective, banking apps on smartphones are relatively safe as they do not store login credentials of the user in the app or on the device, and have idle time out, based on automatic logout. Although it is a minor issue to enter the login credentials for every sign-in from the user experience point of view, it ensures safety for the bank transaction on the smartphone.

On the other hand, mobile wallet and payment apps store the credit and debit card details and login credentials of the user during the time of registration so that the user can easily launch, access and pay for the services with the least possible clicks. Various e-commerce marketplaces, taxi-hailing and other utility apps, which integrate these payment and wallet apps, have similar functionality and low levels of security.

These apps prioritize “ease of use” over security, as it ensures faster and higher adoption, and repeat usage of the apps by the consumers. And since most of these apps are developed by young start-ups whose company valuations are directly linked to exponential growth, their focus is almost primarily on user experience. The risk of misuse and potential loss of money for the consumer, especially upon loss or theft of the smartphone, is higher through mobile payment and wallet apps as compared with banking apps.

Apart from design-based security threats and data leaks through malware, we also have spy and tracking apps—such as mSpy, a global tracking paid app, and India’s home-grown free app, Tracking Smartphones—that have the ability to be hidden, register every keystroke on the device and present the data, segmented by usage and app to potential hackers and other users. Such apps, too, pose a serious threat in the smartphone space.

So what should users do? Most of these security vulnerabilities, threats and data leaks can be thwarted by alert and disciplined end-users. Using a PIN and pattern-locking the device, regularly cleaning the junk folders in the smartphone, and factory-resetting the device every time a used smartphone is handed over to a family member or a friend—or sold in the second-hand market—could potentially reduce the security risks to a significant extent.

Going forward, as biometric sensors such as fingerprint scanners and iris/eye scanners (coupled with depth-sensing cameras and robust facial recognition software) become commonplace and proliferate to the level of mass-market smartphones, the security features in the devices could be technologically developed to be stronger.

Having said that, safety and security in the consumer devices space will, to a significant extent, depend on alert human intervention and action. And, currently, technology is proliferating at a much faster pace as compared to the rate at which an average end-consumer of technology can be adequately educated.

The author is partner of analyst and advisory firm Convergence Catalyst.