Security Guide: When To Actually Deny Mobile App Permissions

When downloading new computer software, a mobile app or asking to join a new network, do you click or tap “Agree” to the permissions without having read a word of it? For all you know, you could very well have just agreed to sacrifice your first born to the technology gods.

In 2014, London-based security firm F-Secure supported an experiment called the “Herod Clause.” The experiment was meant to show that few people actually read the terms and conditions before hitting agree to connect to a wifi hotspot. To use the wifi hotspot in some of London’s most populated districts, users had to agree to give up their first born. The terms and conditions stated in plain site that users could only get access to the hotspot if “the recipient agreed to assign their first born child to [F-Secure] for the duration of eternity.” As it happens, blissfully unaware users agreed to give up their first born for free internet.

The point of the experiment according to the Cyber Security Institute was to show that people just assumed there weren’t security issues written in the contract.

How many times have you mindlessly tapped “Agree?” How frequently have software and mobile downloads asked for access to your contact list, microphone, and webcam? It seems to be the new norm, but is it safe? What are the cyber security risks that come with downloading willy-nilly?

Read Before You Click Or Tap

[pullquote]If you’re like a lot of people, you’ve probably downloaded Spotify, Facebook Messenger and Netflix on your devices. You trust the companies that run the apps, and so do your employees.[/pullquote] Unbeknownst to you, a couple of your employees may have downloaded music, video, and other media apps to the company laptops, granting complete access to the company’s contact list, microphone, and webcams. Most of the time, users are given the option to deny these permissions and can change them in settings later if they should so choose. The thing is, your staff isn’t worried about permissions or wonky downloads – it’s not their laptop.

Ever evolving with the changing technology, cybercriminals have noticed the vulnerabilities in web application permissions and have found a way to crack security processes and infiltrate user networks.

According to the McAfee Labs Report released in June 2016, “cybercriminals manipulate two or more apps to orchestrate attacks capable of exfiltrating user data, inspecting files, sending fake SMS messages, loading additional apps without user consent, and sending user location information to control servers.”

Because users have given permission to much of their confidential information on their (and their company’s) devices, if a hacker breaks into the app’s system, they can easily travel between systems, stealing financial, confidential and potentially damaging information. Unless you have verified that the software app includes tough security code to crack, you should never give access to your microphone, camera or in some instances, your GPS location.

It’s common for applications to ask users for permission to access microphones, cameras AND photos, contacts, GPS location and phone status and identity. This last permission, as reported by the Washington Post, is for apps to know when to power off or pause use, such as when the phone rings or there’s a teleconference call. This last app permission is also looking to make sure that your device is not using pirated software, which can potentially lead to a botnet attack as seen in the Dyn attack back in October.

Unless you’re using a trusted application with an impeccable cybersecurity record, you should not agree to microphone, camera, contacts or other access. To safeguard against the threat of a cyber attack, train your staff about what is acceptable company computer usage and make sure you get a cyber insurance policy; if an attack should hit your network, cyber insurance will pay for the damages.

Is your network protected? It might be best to run a test and make sure your network isn’t already compromised, darn those messaging apps!

When To Actually Deny Mobile App Permissions

Security App Permissions Guide Header