This particular list is due to the seriousness of mobile security testing which is a grossly overlooked and ignored area and probably one of the if not the most important. As I predicted in my 2014 article “Security Testing for Critical for 2015” – security is still in it’s infant stages. Seems we are still in the reactive mode instead of the proactive mode. Security criteria for apps on all the platforms to be added to store is minimal at best. Back in late 2014-2015 myself and the QA Conspirators took on the top 25 Hottest Mobile Startup Apps and decided to test them ourselves. I was flabbergasted at each install being “told” the app would need to access my files/media/contacts/location etc. Each app that “required access to any of my personal information at install” I relayed to the team the app was a failure in my book. Previously when you downloaded an app on android it would allow you to deny access to those areas and others it wanted to access but still it would install at least. It should be the users choice when to allows access to contact info or pictures/media and many apps need that for their specific use (messaging – posting pics on social apps).
Many of the huge social media apps have absolute access to everything – but in their defense you should never have an expectation of privacy from a free product/service/app they need to make money one way or another. But any product/service/app that you are paying for (LinkedIn – Facebook etc) you should have the expectation of privacy. Back in mid 2013 I learned Facebook had changed their privacy policy and was tracking your movements while logged in to the site. I immediately deleted my account and just prior to that posted the new security/privacy policy on Facebook and LinkedIn.
Then came the “free” private secure messaging apps who advertised using their app with the illusion of subtle scare tactic that the ones you were using that came usually stock on your phone through your paid provider were not secure. We tested WIPER and we checked against their claims of instant wiping of your test or pictures occurred on both devices communicating. It is actually fun to use and we also verified that the messaging and free phone calls were truly encrypted – we even tested the free encrypted international calls. They are a small team of less than 10 and with little funding developed one of the most secure and feature loaded (see the list includes music as well) apps I’ve ever used and I have been testing mobile apps since 2009 averaging 20/30 new ones weekly. And unfortunately Wiper (although I still have it on my phone) appears to be closed so they can focus on the next level app called Fresh Team. I have not looked at it yet but encourage you to try it out.
I am going to use Snapchat as my example of why consumers need to be aware that ignoring privacy policies or not understanding them even from companies whose premise was to protect your security and privacy.Ii think the first indicator that Snapchat was changing occurred when it was learned that the “disappearing pictures” were in fact not deleted and still on the server and subsequent privacy lawsuits followed. Shortly thereafter Snapchat quietly revised the privacy policy and let’s be honest who reads EULAs and privacy policies anyway? So I located an article from Business Insider and I am going to highlight what this particular social media app knows about you. The article is titled “Here is everything Snapchat knows about you”
**Users will be surprised to learn that unless they spend time in the app’s settings revoking Snapchat’s various privileges, Snapchat can end up knowing pretty much everything about you — your name, your exact location right now, who your friends are, and when you message them.
You don’t give your name to Snapchat when you sign up for the app, but Snapchat knows it anyway, the new policy says. The company collects this data because it’s useful for advertisers, the privacy policy says.
Most people use Snapchat because they like the way messages are instantly deleted, and it feels more private and secure than using regular text messages on your phone. But it’s actually not very anonymous at all.
It’s important to state that users can revoke many of Snapchat’s permissions if they want to. But doing so will stop some of the functions in the app. They can also delete the app. But even then, Snapchat keeps some of your data for a period, the policy says.
Social Media and Apps “Stealing” Your Information – Mobile Security Test Tools |
Here’s a list of the data Snapchat has on you:
• Your contact list. You didn’t give the app your name, and in the Snapchat world you’re just “Cuddlybear78,” or whatever. But Snapchat does get the names of contacts in your phone. And that means Snapchat will have your name from the contact list of anyone else you communicate with on Snapchat. You can revoke this permission in the app’s settings.
• Your name. The company admits it trawls contact lists in a separate entry in its privacy policy about the information it collects on you from “other sources”: “If another user allows us to collect information from his or her device phone book—and you’re one of that user’s contacts—we may combine the information we collect from that user’s phone book with other information we have collected about you. We may also obtain information from other sources and combine that with the information we collect through Snapchat.”
• Your photos. “Because Snapchat is all about communicating with friends, we may—with your consent—collect information from your device’s phonebook and photos,” the policy says.
• Your location. Snapchat tracks your real life location via “beacons.” Beacons are favored by Apple and its iBeacon system. Most people aren’t aware thee things even exist yet. Beacons send out a low-range Bluetooth signal that can ping your phone as you walk by. Retailers like them because the can tracks shoppers in stores. Any app such as Snapchat will then be able to know exactly when and where you are, down to a few feet. You can switch this off. (Again, you can revoke this in the settings.)
• Your web browsing history. Snapchat has permission to track you with cookies. Most people know that cookies are used to track your history as you browse the web, particularly on Android phones.
• Snapchat shares data that may be useful to advertisers with Flurry, the mobile ad company now owned by Yahoo. This data is anonymous and aggregated, and frankly you shouldn’t worry too much about it. Just be aware that Snapchat is just like any other digital ad media company — it’s not some super-secure anonymous service.
• Your email address.
• Your debit/credit card number (if you use Snapcash).
• Your card’s “associated account information,” which probably means your name and address.
• Everything about the “snaps” (messages) you send to othersexcept what is in them: “time, date, sender, recipient of a message, the number of messages you exchange with your friends, which friends you exchange messages with the most, and your interactions with messages (such as when you open a message or capture a screenshot).”
• The type of phone you use and a unique code that identifies it.
• Even if you delete your account, “keep in mind that we may retain certain information in backup for a limited period of time or as required by law,” Snapchat says.
Now it is their right to do so – it is a free service unfortunately it is deceptive due to the origin of the app. How can you find out what these free apps are collecting from you, your device, your location, your accounts, your emails, your pictures etc? And what tools can you use to protect your mobile experience and check against security flaws and exploits from apps on your device. Back in 2011 there was another excellent app called Red Phone and Text Secure that was the only truly encrypted messaging and encrypted phone calls – I tested it out and it was amazing and much to my dismay (but not my surprise) learned in 2015 they were being rolled into one app called Signal by Open Whisper.
If you are concerned about Facebook privacy and security there are a few social media sites that claim to protect the users and will not advertise/track/sell your information – Ello.com and the new Anonymous group site Minds.com, Path.com for Businesses yammer.com or create your own private social network with Digitaldm.com.
If you want a replacement for Snapchat there is a few Path Talk, Wickr Me, SureSpot encrypted messenger, TigerText (now for businesses only) GiGi, ViPole Secure Messenger, Threema, Nxttym, Confide, Randid, Whisper and dozens more. But how do you know if you are really secure, just because they claim it is we’ve learned doesn’t mean a thing and the app stores do very little to validate security on the apps.
Here is the initial list of tools and I am going to keep this fairly brief (due to my last post not publishing) and will expand on it when BeQuiker.com is developed enough to publish all the lists.
Clueful Privacy Advisor (web app for iOS and native app for Android)
Clueful is a free app that shows you how the apps you have installed on your smartphone use your personal information. It checks what apps are doing in the background without your knowledge and gives your device a “Privacy Score” with information on which apps are compromising your privacy. Clueful continually checks apps against Bitdefender’s database of verified apps, and lets you search for apps to find out how they use your data before you even download them. – Tested this out myself and was happy to see I had 0 High Risk Apps and an excellent privacy score not bad for having almost 300 apps on my phone.
CitizenMe (iOS with Android)
CitizenMe enables you to check the privacy and service policies of a variety of popular apps installed on your phone with the app highlighting parts that are controversial or otherwise concerning. CitizenMe displays each app’s icon in a specific color with policies that are good for the user earning an app a green circle, apps with policies that are not good for users showing up in red, and policies that fall somewhere in between signaled with a yellow icon. The app can also gauge the personality that you project on each social network, explaining how Facebook, as an example, perceives you (and targets adds to you).
Disconnect Mobile (iOS)
Disconnect is a privacy app that actively blocks major mobile trackers that want to monitor your activity as you use an app or a mobile browser. It blocks “the biggest” mobile trackers from collecting your information, blocks ads from more than 2,500 ad tracking services, and blocks thousands of websites that are suspected of malware, spyware, and phishing scams. (While the same app isn’t available for Android, Disconnect does offer a Disconnect Search and Secure Wireless apps on the Google Play Store.)
eWallet (iOS and Android)
eWallet is a password manager and “secure storage database wallet” that locks your passwords, credit cards, and bank account numbers behind what it describes as “military-grade encryption.” Its 256-bit AES encryption protects your information, and the app includes added security with an auto-lock feature. Users can sync their information between devices — even from an iPhone to a Windows PC. eWallet also has a built-in password generator, an AutoPass feature to easily log into websites, and the ability to add a note to each card where passwords and numbers are stored.
Ghostery (iOS and Firefox for Android)
Ghostery helps you to protect your privacy by showing you what it refers to as “the ‘invisible’ web,” which encompasses the “trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google, and over 500 other ad networks, behavioral data providers, web publishers — all companies interested in your activity.” The app lets you learn more about each company, and provides you with links to privacy policies and opt-out options. You can also choose to send anonymous information to Ghostery so it can create a comprehensive list of trackers,
LastPass (iOS and Android)
LastPass is a password manager that securely syncs your passwords across all of your browsers and devices. It saves your passwords and gives you secure access to them on your computer or your smartphone, and you only need to remember your LastPass password, since LastPass can automatically fill in all of your logins for you whenever you need them. LastPass can also securely store your memberships, credit cards, and other personal information, and share logins with your friends or family when necessary
SurfEasy VPN (iOS and Android)
SurfEasy VPN protects your privacy with 500 mb of free VPN service each month. It protects the security of your smartphone on WiFi hotspots, prevents ad tracking, and encrypts all of the data coming in and out of your phone. SurfEasy enables you to browse anonymously, mask your IP address and location, access blocked websites from anywhere, including unblocking Facebook, SnapChat, Instagram, Twitter, YouTube, Skype, and others on networks that block them. You can earn more data by referring friends or adding more devices to your account, or upgrade to a premium, unlimited subscription
Orfox /Tor Browser – Android
Orfox is built from the same source code as Tor Browser (which is built upon Firefox), but with a few minor modifications to the privacy enhancing features to make them compatible with Firefox for Android and the Android operating system. Orfox REQUIRES Orbot app for Android to connect to the Tor network.
Private Calculator Plus (iOS) and Smart Hide Calculator (Android) Calculator Vault – Gallery Lock (Android)
Private Calculator Plus looks like (and is useful as) a regular calculator until you type in your password. Then, it turns into a private storage space where you can securely store photos, videos, notes, files, contacts, passwords, and bookmarks. It also functions as a private mobile browser, which won’t save your history. With the file manager, you can transfer files from a Windows PC or a Mac, and easily export photos or videos. Private Calculator Plus also features four different kinds of locks, and break-in reports. Smart Hide Calculator for Android is similar
F-Secure AV Test TEST SAFELY THAT YOUR ANTIVIRUS APP WORKS. (Android)
This app is designed to safely test that your antivirus product detects viruses and other harmful applications. It is based on the security industry standard test file recommended by European Institute for Computer Anti-Virus Research (EICAR) for testing antivirus software. The app is completely harmless. F-Secure Freedome VPN is an online privacy and security app that combines the most powerful features of our award-winning security. Anti-malware. Anti-Phishing. Anti-Spying. Anti-Tracking. VPN. It’s always up-to-date via the cloud. Try App security in F-Secure Freedome VPN and test how it catches viruses. App security is free to all users
MASTS is Mobile Application Security Testing Suite; a complete suite and innovation into testing Android based mobile applications.
As mobile devices and its technology is on a rise, it has become a crucial need and high importance to not only secure the device itself but the applications running on the device too from possible threats and vulnerabilities. Considering all the factors of mobile device security and application security, MASTS comes into picture which simulates the penetration testing or simply security testing of mobile application
BitDefender (Android)
The most advanced cybersecurity app for Android gives your devices absolute protection against internet threats and data snoopers. According to AV-TEST, the independent IT-Security Institute, Bitdefender Mobile Security is the Best Android Security Product of 2015!
App Scanner (Android)
App Scanner helps you scan your android application to find out all the components vulnerable to attacks like, Intent Spoofing, Eavesdropping and Man in middle attacks. It also helps you identify all the Permissions used in an app and the Certificate used to sign the app
Location Privacy (Android)
• Three privacy settings (minimum, medium, maximum) that monitor settings, replace real location, and randomize movement to enhance privacy
• Scans applications on your device and reports those that use your location with context menu convenience functions
• Provides a status view of your “current” location and the policies in force
• Runs as a resident service that always watches for location leakage
• Easy unmasking to use real location when you need it (e.g. simply tap the PlaceMask to start and stop)
• Remote control through SMS to start or stop service (e.g. for use with Phone Finders)
Would love to here from you...