Before being installed and used by businesses or employees, any app should undergo a security check – be it translation apps, shared calendars, or messaging platforms. How should you make sure that the app is safe? Daniel Chromek, ESET’s Chief Information Security Officer, shared the most important questions any IT specialist should ask when determining an app’s security.
1) Do we have a checklist prepared?
“When we try to determine whether an app or a service is secure, we usually follow a prepared checklist,” Chromek explains. That is also his first piece of advice – prepare two checklists:
- one focusing on what you need to search for in the app’s license agreement or service contract/terms of service
- and a second one concerning the app itself and its use
The first checklist can be based on the ISO 27002 standard, the second on the OWASP (mobile) application security verification standard, and your own previous experiences. What should they include? The following questions will give you a hint.
2) Is there a non-disclosure agreement in the contract?
IT specialists should ensure that the contract includes a non-disclosure agreement (NDA) with any app. “In terms of service, an NDA is often defined only vaguely. We usually find a generic phrase about data protection, but if we want to ensure the app is safe, we may need to search for more information. For instance, more data can be included in an app’s security description or security audit reports (e.g., SOC2 report). These may give the IT specialists a clue about what happens with data in the app, whether they are encrypted or not, and so on,” says Chromek.
Another aspect that needs to be considered regarding the NDA is what happens to the data after the app usage termination. “Will they continue to be protected? Will they be deleted? Will the company get them back? Those are important questions that need to be answered before determining an app’s security,” adds the CIO of ESET.
Terms of Service: Didn’t Read This website (and related browser plugin) offers an overview of the terms and conditions of various apps and grades them from A to F – just like at school. The site may be helpful to both users and IT admins, and while it should not be viewed as the primary source, it can give its readers a better idea about the app’s safety. |
3) What happens when the app fails or has an outage?
“We need to remember that an app may rely on a service, which can fail. So, we must ask: What happens to our data when the service is not working?” Chromek explains. An IT specialist should check how the contract deals with possible failures of the service and search for any reports or status pages that would provide statistics that show how often the app is experiencing outages and how long they usually last.
A service contract should also specify what compensation customers should expect when the service fails or when the functionality and failure ratio deviates from the expected numbers. There are different types of failure that the app may experience – from a minor internal issue to large business continuity failures (such as OVHcloud data centre fire) and even “higher power failures” (for instance, due to war or natural calamities).
The designated compensations will usually differ in each of these cases, and some of the scenarios above may be included in limitation of liability or force majeure paragraphs.
2022 Atlassian outage In April 2022, Atlassian, an Australian software company, experienced an outage that left its customers without access to their services for weeks. The company had received messages from its customers regarding the issue, but they offered only very vague information about the problem or the possible fix for days. In the end, several Atlassian customers were left with large casualties, for which they may be compensated only in credits/discounts for Atlassian services. In this case, whether the compensation is fitting or even desirable for the customers is debatable. Source: The Pragmatic Engineer, 2022. |
4) Can we do penetration testing?
Even if terms of service look good, the actual technical state of service security may not. Many apps and services do not provide any information about security testing in their reports. Additionally, terms and conditions often strictly forbid actions that are an internal part of the testing, such as trying unauthorised access or bypassing authentication.
However, penetration tests may be essential in determining whether the service protects customers’ data effectively or not. IT specialists should accordingly try to communicate with an app’s developers and either get more information on any past penetration testing results that the app went through or try to create a separate agreement that allows penetration testing to take place.
5) Is the app developed and operated safely?
Coming back again to the fact that you may be using a different service only by installing an app, IT specialists should determine whether the app is safe and make sure that it is developed and operated safely. To get this information, they should either seek existing audit reports, such as the SOC2 Type II report or have the new vendor audited.
6) What is the vendor’s security incident response plan?
An app may face other serious incidents besides occasional outage issues, including data breaches. “When this happens, we need to ensure that the vendor will inform us. Since businesses are responsible for their clients, partners, and employees, they need to respond swiftly to incidents,” elaborates Chromek. If services process personal data, the need for breach notification may come from regulations like GDPR or CCPA.
Get inspired by OWASP application security verification standard This project provides basics for web application security, but as Daniel Chromek explains, it is extensive, and some parts may be re-used for “fat client apps.” IT specialists can use it as inspiring guidance and pick some of its points that they believe are the most relevant for their business. |
7) How does the app deal with intellectual property?
IT specialists should pay close attention to how the checked app deals with intellectual property. “The contract may often state that the app is not responsible for any content downloaded into it to protect service providers from copyright lawsuits (e.g., under DMCA). It may also specify that the app may use some content for specific purposes like ‘service improvements,’ which may lead to developing competitive products. All these details need to be considered,” Chromek states.
8) What is the app entitled to do?
When it comes to, for instance, messaging apps, they need to enable many different types of actions – sending messages and media, recording calls, even sharing location, etc. However, some apps do not need as many rights: “For example, when we have an app that focuses on online events and demands your location, access to your phone calls, sending SMS and so on, it makes no sense. Try to think about what the app does and then check whether the requirements of the app do not exceed reasonable needs,” concludes Chromek.
Reading between the lines “An app or service cannot conceal what it does and keep the business running. It will be in terms of service if it collects data or shares your information with any other companies. However, the app may sometimes try to overshadow important information with generic phrases, long enumerations, or fine-print additions. Reading terms and conditions thoroughly pays off, and looking for other sources, such as reports.” Daniel Chromek, ESET’s Chief Information Security Officer |