Mobile Security: The Dangers of Third-Party Apps

When an app or digital service does not offer the features users want, downloading a free app can be a quick fix solution, but one that can be costly. Security breaches of Dropbox (News - Alert) and Snapchat were blamed on third-party applications creating holes for cyber criminals to exploit, and they are not the only vulnerable products. Downloading a third-party app can be convenient at the time, but using a third-party app on your phone, tablet, or computer may put your photos, videos, and other sensitive data at risk.

An application or app that provides some or all features of another app or service developed by the original vendor is said to be a third-party application. Everyone has third-party applications on their smart devices these days. They are cooked into the devices without the need for users to do anything. A phone’s camera application that can save images to Dropbox, and apps and games that enable users to sign in via Facebook or Twitter (News - Alert) are all examples, and they can be a security risk for numerous reasons. Having a better understanding of how third-party apps function can help users take steps to protect their private information. The first step is understanding the various forms of authentication.

Direct Authorization

If an application requests users to provide a username and password to another service, such as Dropbox, Twitter, etc., it is requesting direct authorization. That is, it has all the needed information to log into that account without the user needing to grant any further permission for it to do so. This is a very dangerous method of authorization, as users have no control over what this third party will do with the credentials and could even lock a user out of his or her own account.

Pass Through

When an application wants to use another application to perform a particular activity, such as saving to Dropbox by using the official Dropbox app, it is using that service via a pass through authentication. This requires the third party app to have no authentication information for the service and is generally the safest way to give access to third party applications.

Delegated

When an application requests the original vendor to authenticate a user but is then restricted by what it can do via a strict permissions system, it is said to have a delegated authentication scheme. Generally when an app asks a user to log into Facebook (News - Alert) or Twitter, it is using delegated authentication, known as OAuth, and it is fairly transparent on what the app will be able to access. OAuth is the current state of how apps use authenticated services. OAuth is commonly used as a way for web surfers to log into third-party websites using their Google (News - Alert), Facebook or Twitter accounts, without supplying access credentials. An app can request to use a Facebook account, and when a user approves this, he or she is shown what permissions it will be given. If an app is given full access, it can write posts as the user, upload and download files as the user, and more. Trusting a third-party app that is requesting too many permissions of a service is dangerous.

Understanding and being wary of authentication methods does not fully protect users, but it is a start. Third-party applications, independent of which type of authentication they implement, have the ability do whatever they want with user’s data. An application that is designed to take a picture and instantly upload it to Dropbox could be doing other things with that picture without the user (or Dropbox) ever knowing it.

Snapchat users were recently compromised by a third-party service called SnapSaved that was saving pictures in a separate location in addition to the intended purpose of sending the photo to Snapchat. This security breach was not detected, and SnapSaved was allowed to capture and store these pictures without the consent or knowledge of the Snapchat users. Unbeknownst to the users and Snapchat, these sensitive pictures were saved in a database, used for an unknown purpose for a very long time, and were leaked when SnapSaved.com folded.

Users should prefer applications that use limited permissions on the device and request limited permissions to any online service. It is also a good idea to research what people are saying about the app online. However, using a first-party app is always the wiser decision.

 Written by Shaun Murphy, CEO of startup Private Giant for TMC Digital Magazine