Myths and the truth about the security of mobile applications

Gadgets have been simplifying our lives for a long time: with their help, you can plan trips, order food or a taxi, buy or sell things, pay bills, trade on the stock exchange and do much more. But there is always a risk of installing a fraudulent application on your device and getting losses instead of benefits and convenience. We understand how to distinguish a fake from a reliable program and reduce the likelihood of financial losses.

Fraudsters are increasingly using applications for smartphones, tablets and computers in their schemes. These programs contain viruses that steal confidential information from gadgets — bank details, usernames and passwords from mobile or online banking, as well as intercept SMS and notifications with codes. All this data allows scammers to withdraw money from other people's accounts.

Hackers can also use applications to hack into a device, block access to it and then demand a ransom.

In order to recognize the scammers' traps in time, it is necessary to learn to distinguish between the truth and myths about the security of mobile applications.

1. There are no fraudulent programs in the official app stores

This is a myth. Stores like Google Play and the App Store do have security filters. And, as a rule, only proven programs get there.

Developers sign a contract with the platform, according to which, for example, they undertake not to send spam, not to secretly collect user data, not to misinform them.

But in fact it happens otherwise. It happens that at first the program fulfills all the terms of the contract. During this time, thousands of people manage to download it. And then, having gained an audience, developers begin to break the rules: without warning, they introduce paid functions, transfer user data to third parties, or even release an update with a virus sewn in.

In a huge stream of updates, stores do not always have time to track all cases of violations, so there is a risk of encountering fraudsters.

The Council. In any case, you should choose applications only in official stores — it's much safer than downloading them from third-party resources.

You will significantly reduce the risks of running into fraudulent programs if you pay attention to three parameters before downloading:
  •  Number of downloads. If the program is completely new and few people have installed it yet, it is better not to risk it. It is not worth checking on your own experience whether this application is useful or malicious. And vice versa — a program that has been downloaded by millions of users for several years is most likely worthy of trust. It is unlikely that developers of super-popular services and games will risk their reputation: it is much more profitable for them to make money on advertising than on data theft. But there are exceptions, so you need to take into account other factors.
  •  App rating. If a large number of downloads does not always indicate the quality of the program, then the evaluation of users matters: the higher the rating, the less risk.
  •  Recent user comments. See reviews not only in the app store, but also on profile forums. This way you will find out if there have been any problems with the program recently.
After downloading, keep an eye on the application's requests: for example, whether it will start demanding access to your data or other applications on your device. Perhaps the program was hacked after all, or the developers themselves turned out to be scammers. It is better to delete such a program and find a safe analogue.

Do not forget to audit the applications on your phone. Delete unnecessary ones — this will save the device's memory and at the same time protect it in case the developer decides to "modify" the program and add a malicious component to it.

2. Antivirus will protect you from all problems

Unfortunately, this is also a myth. One of the main reasons for the vulnerability of devices, from which no antivirus can save, is the errors of the user himself. For example, a person can download a program that will have more rights than an antivirus: she will turn it off and continue to work.

Sometimes gadget owners inadvertently remove the pre-installed protection of the operating system. Or they don't update the system itself — scammers look for these gaps in the security of devices and attack them with viruses.

For example, until May 2020, there was a critical problem in the security of the operating system of popular phones. When connecting a user to a public Wi-Fi network, fraudsters could intercept traffic and then connect to his phone, read correspondence (including SMS from the bank), watch photos. Then the bug was fixed.

The Council. Do not forget to regularly update the software of your devices, including antiviruses. Don't download apps that strangers send you links to.

3. It is better to pay for purchases using your phone


It's true. When you enter bank details into mobile payment systems (Apple Pay, Google Pay, Mir Pay or Samsung Pay), the device does not remember the card data, it encrypts them and transmits them to the payment system. The seller does not see the details of the card, which means that he cannot debit money from it without your consent.

This is much safer than saving card data in an online store application that hackers can hack.

The Council. Many online services offer payment via mobile payment systems. Choose this method — it works as a security gateway for your money.

If possible, try not to use applications and websites that ask you to enter bank card details. Choose those that offer payment using Apple Pay, Google Pay, Mir Pay or Samsung Pay payment systems.

When you cannot use the mobile payment system, carefully check the online store page before entering your card details there. First, make sure that you have a secure site in front of you, and not a phishing page. When paying, make sure that by default there is a check mark next to the offer "save card data". Agree to this only if you are completely confident in the reliability of the site.

4. Secure application never requests access to personal data

This is a myth. All applications need access to certain functions and information from your phone. But pay attention to exactly what data the program is requesting from you and whether it needs them for correct operation.

It is logical when a navigator or a food delivery service asks for permission to track geolocation. But it is suspicious if a game or an electronic library does it.

Messengers need access to your contacts list so that you can correspond with those whose number is stored in your phone. But it is hardly worth sharing this information with an application that promises, for example, "to show how you are recorded in your friends' phone."

Such tricks can fuel interest, including in unsafe services. After all, all your contacts will end up in the application database, and in the event of a data leak, they will fall to fraudsters.

The Council. Carefully evaluate which applications to allow access to your camera, microphone, location, files, contacts and messages. Agree only if it is really necessary.

5. You can independently check whether the application transfers my data to someone else

Truth. Data transmission is always visible in your device's network traffic. The leak can be tracked by yourself or with the help of special services. Some of them allow you to find out before downloading the application whether it sends information from devices somewhere. If so, whether the data is encrypted and whether the channels through which the information is transmitted are protected.

The Council. There are specialized sites — for example, App Census and Exodus, which analyze what data the program requests, where it transmits it and in what form — encrypted or not. So far, these sites do not work in Russian, although information on Russian applications can also be found there.

A more complex, but also more accurate way to check for data leakage from a device is to analyze its network traffic. But not everyone can do it.

If it is difficult for you to evaluate the behavior of the program yourself, look for information in business and industry media, as well as on the websites of companies specializing in cyber defense. They periodically release reviews on popular applications.

6. Hackers often fake gaming applications

It's true.
Users often don't pay attention to details and don't read boring user agreements. Cybercriminals use it. In the excitement of the game, you may not notice "oddities" in the application – accidentally click on a malicious link inside the game or enter bank card details on a phishing page and lose money on the account.

Not only adults, but also children can become a target of hackers: a parent's card or a child's card issued to a parent's account is often linked to application accounts.

The Council.
Follow the rules of cyber hygiene — you can study them in the article "How to protect your gadgets from scammers".