MobileActive.org

Particularly for smartphones, there are many apps that promise improved privacy and security for your mobile communications. Like all apps, some are very good, but other are poorly written or overpriced, and may even be malicious. This article will help you evaluate whether you should trust their promises.

Before You Start

Security apps are most useful as part of a coherent security policy covering all your mobile communications. The Mobile Risk Assessment Primer will help you complete an inventory of mobile communications risks, and decide which are most important and most feasible to mitigate.

Once you’ve completed a risk assessment, it’s important to search broadly for security apps. MobileActive is in the process of reviewing many of these our current list of security apps but the mobile security landscape changes quickly. Ask friends and colleagues, read about your specific security need online, and search your device’s app marketplace. Once you’ve identified as many options as possible, it’s time to start evaluating your security apps.

Will It Work on Your Phone?

As with computer software, some mobile apps are built to work on one platform - Android, iPhone, Blackberry, Symbian, Java - and many not work on others. There may be other requirements too, such as particular phone models. Make sure the apps you have chosen are all going to work on your device.

Also consider how you will actually get the app - can it be downloaded from a web link that you open on your phone, or can you get it from an app marketplace? Some apps can also be downloaded to a PC and transferred via bluetooth or a data cable. This step sounds obvious, but it can be tricky when you don’t have stable Internet access on your phone or aren’t used to the app install process.

For additional security, we suggest that you only use “markets” from official sources where it is possible to check the identity of the developers and to see user comments. Some markets also provide reputation ratings for developers and apps, comments for apps and developers. In the same way, look for the most official source - a well-know collection, or the developer’s own site - for apps downloaded from websites.

Some security apps require that all participants involved in the communication use the same app. This is common among encryption apps, which usually require both the sender and receiver of the encrypted message to use the same app. Where this is a requirement, it is important to think about whether it is feasible for your particular situation. Does everyone you want to send secure messages to have a device that will run the app? Will they all be able to use it?

Risks, costs, and benefits

Security apps are designed to mitigate particular risks - for example, the risk that your communication may be intercepted, or that sensitive data may be compromised if your phone is lost or stolen. However, using certain apps can also expose you to additional risks. If it is obvious to someone observing your communications that you are using encryption or an anonymous browsing service like Tor, this might arouse suspicion.

Security software is also sometimes implicated in exposing supposedly private communications to third parties, such as restrictive governments. While this doesn’t happen most of the time, it’s worth being aware that it might, and not dropping your guard completely just because you’re using a secure app.

Security is big business, and many well-established apps are proprietary, commercial and unfortunately very expensive. Some offer good value, but with all proprietary apps you should take care to establish how far the software code has been made available for peer review. If the company selling the app stores any data on its servers, you also need to be sure you trust their internal policies and understand their legal obligations with regard to your data.

Finally, it’s worth remembering that in some situations, mobile communications are either too risky or not available. Even if you find a security app you trust, you might want to take the additional precaution of sending messages in an agreed code, or not identifying people and locations in your messages. During a protest or gathering, always have a backup plan - a place to meet, a number to call, or a friend in a different location you can ask to send out updates on your behalf. These and other general tips are available in the Mobile Risk Primer and Mobile Tactics for Participants in Peaceful Assemblies.

Is This App Trustworthy?

When it comes to evaluating individual security apps, there are several things to take into account. Many of these are common to all apps, and MobileActive’s general guide to app security: Are Your Apps Trustworthy? 6 Questions to Ask is a good place to start. This guide will help you to:

• Understand what features of your phone are accessible to apps, and what permissions the app needs to request to use them. Watch out for security apps that ask for permissions that seem unnecessary or too broad.
• Evaluate the reliability of the app’s developer, and how active their user community is. For security apps, both are critical - if a security flaw is discovered, you want to be sure it will be identified quickly so that you can take precautions until it if fixed.
• Understand the advantages of apps that are open source or have otherwise made their code available for public review. Publicly reviewed source code makes it harder to hide malicious features and easier to identify obvious security flaws.
• Be vigilant about how apps that store or transmit data. Is storage encrypted? Is transmission secure? If you aren’t sure, ask the developer and/or the user community.

Some additional considerations when choosing security apps include:

• Legal issues. Some apps may not be legal in certain countries (encryption is often regulated, for example). If an app developer stores data on your behalf, they may also be forced to hand it over to law enforcement agencies under certain conditions. Check their policy on requests from law enforcement agencies.
• Maturity. What is the reputation of the app? Early releases of software are typically less stable and secure than later releases. And, if the application only has one release, it might not be the right tool for the job just yet. Check the ratings of the application, and read the reviews of other users on the market.
• Staying up to date. Once you’ve chosen an application, be sure to keep it and all of your other applications - including your operating system - up to date. Malware and viruses often work by exploiting a vulnerability found at the software level. Once the software developer learns of these vulnerabilities, they often release security bugfixes and patches. Make sure you are running the latest stable versions as it might contain fixes for security issues.

Security App Worksheet

Here are some questions to ask yourself as you consider applications.

1. Will it work on my phone?

• Consider platforms (iPhone, Android, Java, Blackberry, Symbian etc)
• Phone models
• Installation method (App market, web download, download to PC?)
• Language support

2. Consider the risks, costs and benefits

• What risk does this app address? What are the benefits?
• Does it introduce other potential risks?
• How much does it cost? Both the cost of the app and any data/text messaging/voice costs

3. Seriously consider whether tis app is trustworthy

• What permissions does it request? What permissions is it given by the operating systems?
• Who is the developer? Are they well-known?
• Is there an active user community?
• Is the source code available for public review?
• Is data stored and transmitted securely?
• Is the app legal?
• What is the developers’ policy on data requests from law enforcement?
• Is the app mature?
• How are updates released?