Do NOT authorize APPS to do what ever they want on your smart phone
Four weeks ago I was attending a presentation about the deployment of SW for business processes. A serious SW vendor with great knowledge of the SW they deliver. The company provided an APP ready to download for iPhone and Android and kindly requested the participants to use that app for all questions, twits, agenda, and survey questionnaire. A great idea of course when it comes to the green IT and faster/cheaper/better data collection and analysis.. During the installation process I found that the APPS will requires authorization to almost all of existing privilege including Phone contact directory, phone dialling, complete Internet communication, HW control among others privileges. I am pretty sure that the process SW was not intentionally trying to get access to all available services and data on the customers smart mobiles (well, if they did then they should be out of business in zero time) but they unintentionally causing an insecure environment on their customers smart phones.
I saw a medical doctor to use his work smart phone as a torch by using an app to lighten up his patient mouth and looking for suspicious mouth/throat diseases. An excellent idea, an easy to use smart phone instead of carrying another tool while examining patients instead of a pocket torch. I was a bit curious about these torches and found the following about one of the free torch apps.
The Tiny flashlight is just an example to show how much privilege an smart phone could require and if the user is really aware of how much the “attack surface” increases after installation of an app like this flashlight.
- 100 000 000+ downloads
- Applications authorizations
- System tools
- Complete networks access
- A HW Controller, shot photos, record videos,….
- Phone call, status and identity, calling number, phone ID
- Show networks connections
- Another HW controller, flash light and steering the vibrations, …
The only step is to click on APPROVE.
I am pretty sure that most people move forward and just click on approve but the question is how much the smart phone is exposed for attacks, data leakage/theft, control of HW, Etc. The question is what is the real business case for the app developer when this free app gets access to almost anything on the smart phone.
Guess if I approved the installation of this APP on my smart phone.