Checking the security of mobile apps

The number of mobile apps is continually increasing – and the great majority of them can be downloaded for free. They also increasingly handle critical personal, business and financial data.

For all the talk of implementing security from the get go, there are too many developers that can’t be bothered with it or simply don’t have the skills to do it.

France-based Pradeo Security Systems has recently launched three solutions aimed at protecting mobile users from security (malware), privacy (data handling) and financial (phone calls and SMS messages to premium numbers, etc.) risks raised by intentionally malicious and unintentionally poorly secured apps.

AuditMyApps is an online platform actually intended to be used by businesses, security consultants, app developers, and app stores which want to see whether the app they are going to offer their employees and customers does not present the aforementioned risks.

Users must simply log onto auditmyapps.com, submit an application, click on «Request Audit» (and pay for it), and they will receive a get a complete security audit of the application and a security mark that evaluates its security level.

CheckMyApps is aimed at corporate IT departments, and works both as a security solution (auditing the complete apps’ fleet within the company, defining the apps’ security policy, etc.) and as a management solution for remote app configuration, approval and removal, and more.

The CheckMyApps app is also available as an app for personal Android users who want to discover the real security level of the apps they use.

Finally, the CheckMyApps API can be integrated in critical apps so that developers and publishers can check the environment in which it is executed (other apps on the device) and whether it affects adversely the security of the critical app. If it does, the API will prevent it from executing. The API is aimed at apps developers and publishers for the banking, health and defense sectors.

All these solutions use Trust Revealing, Pradeo’s behavioral analysis engine, which analyzes apps and reveals all the actions performed by it. It then can isolate the “safe” apps form the “critical” ones.

According to a whitepaper published by the firm, the LinkedIn, YouTube, Dropbox, Iconomia, Twitter, Maps, Adobe Reader and Shazam apps for Android pass the test.

Facebook’s, Skype’s and several popular game apps perform potentially risky actions without the users’ knowledge – mostly retrieving users’ personal data, asking them to access functions requiring privilege elevation, or establishing insecure connections.

Malicious apps of any kind obviously fail the audit.