Before being installed and used by businesses or employees, any app should undergo a security check – be it translation apps, shared calendars, or messaging platforms. How should you make sure that the app is safe? Daniel Chromek, ESET’s Chief Information Security Officer, shared the most important questions any IT specialist should ask when determining an app’s security.
1) Do we have a checklist prepared?
“When we try to determine whether an app or a service is secure, we usually follow a prepared checklist,” Chromek explains. He recommends having two checklists:
- One focusing on what you need to search for in the app’s license agreement or service contract/terms of service
- One concerning the app itself and its use
The first checklist can be based on the ISO 27002 standard and the second on the OWASP (mobile) application security verification standard as well as your own previous experiences. What should they include? The following questions will provide guidance.
2) Is there a non-disclosure agreement in the contract?
With any app, IT specialists should make sure that the contract includes a non-disclosure agreement (NDA). “In terms of service, an NDA is often defined only vaguely. We can usually find a generic phrase about data protection, but if we want to make sure the app is safe, we may need to search for more information. More data can be included, for instance, in an app’s security description or security audit reports (e.g., SOC2 report). These may give the IT specialists a clue about what happens with data in the app, whether they are encrypted or not, and so on,” says Chromek.
Another aspect that needs to be taken into consideration when it comes to the NDA is what happens to the data after the app usage termination. “Will it continue to be protected? Will it be deleted? Those are important questions that need to be answered before determining an app’s security,” adds the CIO of ESET.
Terms of Service: Didn’t Read
This website (and related browser plugin) offers an overview of the terms and conditions of various apps, and grades them from A to F. The site may be helpful to both users and IT admins, and while it should not be viewed as the main source, it can give its readers a better idea about the app’s safety.
3) What happens when the app fails or has an outage?
“We need to remember that an app may rely on a service, which can fail. So, we must ask: What happens to our data when the service is not working?” Chromek says. An IT specialist should check how the contract deals with possible failures of the service, and search for any reports or status pages that would provide statistics that show how often the app is experiencing outages, and how long they usually last.
A service contract should also specify what type of compensation its customers should expect when the service fails, or when the functionality and failure ratio deviates from the expected numbers. There are different types of failure that the app may experience – from a small internal issue to large business continuity failures (such as OVHcloud data center fire) and even “higher power failures” (for instance, due to war or natural calamities).
The designated compensations will usually differ in each of these cases, and some of the aforementioned scenarios may be included in limitation of liability or force majeure paragraphs.
2022 Atlassian outage
In April 2022, Atlassian, an Australian software company, experienced an outage that left its customers without access to their services for weeks. The company had been receiving messages from its customers regarding the issue, but for days, they offered only very vague information about the problem or the possible fix. In the end, a number of Atlassian customers were left with large casualties, for which they may be compensated only in credits/discounts for Atlassian services. In this case, it is debatable whether the compensation is fitting or even desirable for the customers.
Source: The Pragmatic Engineer, 2022.
4) Can we do penetration testing?
Even if terms of service look good, the actual technical state of service security may not. Many apps and services do not provide any information about security testing in their reports, and additionally, terms and conditions often strictly forbid actions that are an internal part of the testing, such as trying unauthorized access or bypassing authentication. However, penetration tests may be essential in determining whether the service protects customers’ data effectively or not.
IT specialists should accordingly try to communicate with an app’s developers and either get more information on any past penetration testing results that the app went through or try to create a separate agreement that allows penetration testing to take place.
5) Is the app developed and operated safely?
Returning to the fact that you may be using a different service only by installing an app, IT specialists should not only determine whether the app itself is safe but also make sure that it is developed and operated safely. To get this information, they should either seek already existing audit reports, such as the SOC2 Type II report, or have the new vendor audited.
6) What is the vendor’s security incident response plan?
Apart from occasional outage issues, an app may also face other serious incidents, including data breaches. “When this happens, we need to make sure that the vendor will inform us. Since businesses have a responsibility toward their clients, partners, and employees, they need to respond to any incidents swiftly,” says Chromek. If services process personal data, the need for breach notification may come from regulations like GDPR or CCPA.
Get inspired by OWASP application security verification standard
This project provides basics for web application security, but as Daniel Chromek explains, it is very thorough, and some parts may be re-used for “fat client apps.” IT specialists can use it as inspiring guidance and pick some of its points that they believe are the most relevant for their business.
7) How does the app deal with intellectual property?
IT specialists should pay close attention to how the checked app deals with intellectual property. “The contract may often state that the app is not responsible for any content that is downloaded into it to protect service providers from copyright lawsuits (e.g., under DMCA). It may also specify that some content may be used by the app for specific purposes like ‘service improvements,’ which may lead to the development of competitive products. All these details need to be considered,” Chromek states.
8) What is the app entitled to do?
When it comes to, for instance, messaging apps, they need to enable many different types of actions – sending messages and media, recording calls, even sharing location, etc. However, some apps do not need as many rights: “For example, when we have an app that focuses on online events, and it demands your location, access to your phone calls, sending SMS and so on, it makes no sense. Try to think about what the app does and then check whether the requirements of the app do not exceed reasonable needs,” concludes Chromek.
Reading between the lines
“An app or service cannot conceal what it does and keep the business running. If it collects data or if it shares your information with any other companies, it will be in terms of service. However, the app may sometimes try to overshadow important information with generic phrases, long enumerations, or fine-print additions. It pays off to read terms and conditions thoroughly and look for other sources as well, such as reports.”
Daniel Chromek, ESET’s Chief Information Security Officer