Free Mobile Apps = Compromises On User Safety?


This post was originally published on McAfee Official blogs.
http://blogs.mcafee.com/mcafee-labs/free-mobile-apps-compromises-user-safety

Free mobile apps may introduce security risks that need to be addressed. While businesses need to find ways of monetizing when consumers are not ready to pay directly for using an app,  monetization mechanisms that involve the use of user data should be legal, secure and an informed choice. A bigger disussion follows.

80% of the apps were free in 2011,  95% of the apps expected to be free by 2017

In last few years, mobile apps have seen a general downward pressure on pricing. A Flurry analytics report on app pricing show that while 80% of the apps were free in 2011, the number of free apps has increased to 90% as of 2013. Even the price of paid apps showed a lower revenue per app—in 2011, 15% of paid apps had a price close to $0.99, by 2013 only 6% of apps had this price point as the free apps increased. In a press release early this year,Gartner also confirmed this trend when they said that 95% of the total apps (across all OS’) would become free by 2017.

So how do app developers make money on their apps?

There are three specific trends:

  1. Freemium route with in-app-purchases – This is a growing trend. App developers bifurcate their feature set between free and paid. The idea is to hook users through a free offering and provide offers to the user that would like to get access to richer feature set in a paid version. In some cases, some of the app activities, some of the app enticements are available through in-app-purchases.
  2. In-app advertisements - Many app developers embed various kinds of advertisements with their app through the use of ad-libraries. Every impression/click earns revenue for app developer. There are many app developer libraries including one from Google.
  3. Sponsorships – This is only relevant for a very small group of app developers. In this case the entire cost of the app’s engineering and operations is covered by an outside sponsor. For example, Subway sponsored the ING New York City Marathon app.

However, we have seen some worrying trends! 

  • Over-aggressive ad-libraries – Some of the ad-libraries that app developers normally use for monetization were found to be over-aggressive in collecting user details.  A couple of these ad-libraries were collecting details related to a user’s calendar, tracking their locations, last call details, etc. This is something that is beyond the normal realm of ad-libraries. We also had a one-off case of Yahoo! ad-libraries delivering potential scareware to consumers.
  • Willful encroachment of user privacy – Some apps have questionable privacy policies  and sell user data to marketing companies without users’ explicit permissions. And other apps such as Path, deliberately upload users’ contact lists without users’ explicit permission.
  • Embedding risky URLs - Between April and June 2014, McAfee analyzed approximately 733k apps. Out of those almost 95k (12%) of the apps were found to contain at least one risky URL. While in some small cases this might have been willful insertion, this largely could be attributed to developer ignorance and lack of stricter quality controls in their app development process.
  • Weak implementation by app developers – Recently Credit Karma and Fandango were fined by FTC for having exposed sensitive user data by not implementing secure communications between device and their servers. This was due to them not including SSL as part of their implementation when transferring sensitive user data over Internet.

What can be done to address this situation?

Many of the action items clearly lie in the hands of app developers. While the trajectory for app monetization would lie in alternate means as documented earlier, however lack of focus on user privacy/safety would blow up on app developer if they are not cautious (as it happened on Path, Credit Karma and Fandango). The following four suggestions could be considered by app developers:

  1. Be extremely cautious of ad-libraries with past incidents – An app developer should look for past privacy violation of any ad-libraries that you are considering to integrate with your app. Also, remember that ad-libraries may not improve your monetization, but a single bad ad-library may destroy your reputation or get you into legal trouble. Also, always read through privacy policies of ad-libraries to understand how they plan to use user data.
  2. Implement three principles of safe privacy – Inform, consent and control. Always inform the user about what you plan to do with their data such as encouraging the user to read through your app’s privacy policy. Get explicit consent from the user on use of their personal data, and allow the user to control his/her information that is submitted through your app.
  3. Check for URL reputation before adding it to your app – Embedding public facing URLs without validating their security status may put user at risk. An app developer may use McAfee’s free URL verification service to validate a web link before using it into his/her app.
  4. Follow a privacy-aware development practice – An app developer should be aware of secure coding practices and ensure that privacy needs are met. Here is an excellent book written by McAfee privacy experts that could be used for reference: http://www.amazon.com/The-Privacy-Engineers-Manifesto-Getting/dp/1430263555.

Crowd-turfing or Cobrapost’s Blue Virus (Challenging some myths)


PS: McAfee Official blog-site has an edited version of this blog. It was republished for wider audience.
http://blogs.mcafee.com/consumer/social-media-manipulation-is-for-real-some-call-it-as-crowd-turfing

An Indian investigative portal Cobrapost, recently released a report on alleged online reputation smearing/management/campaigns designed to gain/destroy political capital for who ever was the highest bidder or “customer”. Online world (social media)  was abuzz with political motivations, and some were perplexed if it was even possible (amazed, surprised, dismissive etc.)

Some of the bloggers/twitterati offered their own explanations, instantly building near myths and false narratives in the process. My attempt is to disabuse readers from such false narratives and myths. I would skip political aspects of this conversation and largely focus on technological aspects.

Myth 1It is not possible to have fake followers on either Facebook or Twitter.

Fortunately, this myth has  been widely debunked. Sites like Twitter Audit or Social Bakers can be easily used to discover if a twitter user has fake followers or not. Such fake followers are largely bots or proxy accounts  run on behalf of real/fake individuals.

In fact, acquiring fake followers is not a difficult task and is actually a full-fledged online business. Take the case of twitterwind.com, a site that offers different packages for the numbers of followers a customer would like to acquire, so forth and so on.

Twitterwind Packages

There is an excellent story on this by New York times that describes buying and selling of fake twitter followers the worst kept secret in the Industry. Here is a NBC news post that questioned Mitt Romney’s sudden jump in his twitter account following by a factor of 100,000 followers last year. In may last year, NPR published a news article  on how as low as $75 one could purchase 1000 Likes

Myth – 2  Real people are running any social media campaign, there is NO concept of fake (automated bots) followers.

This is largely a defensive reaction of individuals who find themselves on the other side of the first myth. However, even this myth/narrative is false.

Automated bots or bot-nets have existed since the initial days of attacks on computers and networks by hackers and malware/computer virus authors. Bots are compromised systems/user accounts that could be used for launching a malicious digital campaign/attack on an unsuspecting user/corporation or public at large.

In the case of social media, there are three ways to create such bots.

First way is to use an automated bot (compromised system) to do key-logging of individuals to find username/password of an existing user.

Second way is to create fake accounts through auto programming. Two Italian researchers Italian security researchers Andrea Stroppa and Carlo De Micheli reported on how such fake accounts could be created using software for sale. Washington post carried this story. NewYorker magazine also has an excellent article on such twitter bots.

Third way is to launch a phishing attack on real users and harvest their Twitter/Facebook accounts. Social media phishing is a new phenomenon. Some users would recall how AP had tweeted about bombing in white house, once their account had been phished and hacked. Even the satire magazine Onion had suffered a similar phishing attack

Twitter and Facebook both have taken a lot of steps to weed out such followers. Facebook cracked down last year on both fake followers and likes.

Impact of some of the user’s friends and followers after Facebook decided to crack down on fake followers

Myth – 3 There are no companies that actually can run such reputation enhancing/smearing campaigns. 

There is actually a proper world for this activity – Crowd-Turfing!

“Crowd-Turfing” – term represents an activity of malicious crowd sourcing system that exist on social media and internet and display following behaviors – crowd sourcing and astro-turfing. University of California – Santa Barbara came out with this term in their paper “Serf and Turf: Crowdturfing for Fun and Profit

In other words, not only it is possible to manipulate social media through automated and manual means, it is very much prevalent in many countries such as US and China. Crowd-turfing is neither novel or earth shattering, however it might be a complete novelty for some Indians. However, it is largely illegal but requires extensive skill set in establishing a trail of evidence to legally nail the culprit.

This story is pretty old now from rest of the world perspective. UC Santa Barabara report on crowd-turfing mentioned such bots existing on very popular QQ services of Tencent and internet companies like Zubhajie again in China. This report documents purported activities of these companies including account creation, forum post, QQ blog post etc.

UC Santa Barbara report documents the kind of activities done by two of the crowd-turfing companies

UC Santa Barbara report documents the kind of activities done by two of the crowd-turfing companies

There is an additional story here, there is an entire business category for Online Reputation Management, that exists for improving online brands of individuals and companies. Forbes has a good article on how online reputation management companies. They also posted a follow-up article on how some of these companies seemed to be doing dirty things under the hood – blackmailing as an example.

Although, there are many more myths and narratives that could be challenged here, however if an informed spirit of enquiry could result from this, I would meet my objectives.

Disclaimer – I work for security firm McAfee in my professional life. I have written this post in my personal capacity. :-)

Remembering my father, if I could just argue with him once more


I lost my father on Nov 21 last year. Till date, I avoid talking about him on any public forum. I just never felt the need. This was not something a conscious thing to do, I just never thought that anyone else was involved in my relationship with him. It was 1:1 and it only mine to talk with him, mourn for him just between two of us.

I realized, my father used to live my life through me. He lost his own father at the age of 6 and this created deep insecurities in him as he grew up. Although he looked at his elder brother as his father figure, he still felt the need to fill that vacuum in his life by over compensating a father’s role for his own son(me) and his daughter. His childhood was spent in his near poverty and he felt that self dependency was the most powerful statement a person could make.

That way, my father empowered me and my sister at the fundamental level. We were two individuals empowered by a thought that education and self-identity were critical to an individual’s existence. As we grew up, we were fashioning counter identities (opposed to our father) exactly as he wanted us to be. We almost did not choose any path, did not take any advice my father wanted us to take. We were looking for our own path, our own thoughts and our own destinies. Hardly, we realized, he took immense pride in the fact that in our rebel streak we were achieving what he always wanted us to achieve. Sadly, I could not realize this when my father was alive and that I am sure is also true for my sister.

I lost my father to an incurable disease called as Frontal Temporal Dementia (FTD). FTD can be considered akin to cancer of the brain where brain cells starts destroying themselves due to a faulty gene. A close cousin of Alzheimer, FTD however strikes people at young age. My father was just 56 when we discovered that he was suffering from such a disease and at 59 we had lost him. At 56 he was heading a workforce of 700 people and at 59 he did not knew how to conduct himself in a socially appropriate manner. FTD is especially cruel. It first kills your personality, your individuality, your behavior before killing you completely. It starts with destroying behavior controlling part of your brain, then proceeds to destroy your sense of emotions before affecting your brain functions that control your body organs. When my father eventually died, he had no sense of depth, hunger, distance. He could not focus even for 5 minutes on a task. The only time when I felt him completely alive, was when he gave me a hug.

FTD is cruel, but having a mental disease in India is especially nasty. Not only your friends, colleagues, employers misunderstand you, your own family takes a lot of time to realize that it is the disease that has altered your patient’s behavior. My mother till 6 months before my father passed away refused to understand that my father was going to certainly die in next 3 years and his behavior change were irrevocable. When the head of neurology at AIIMS Dr. Rashmi told my mother in no uncertain words that my father had just 3 years left as there was no cure available anywhere in the world, it only then dawned on her that how precious little time she had left with her partner of 33 years.

FTD is cruel but I saw how it brought the worst in the people around my father, largely by an ignorance but that is par for how Indians generally treat any kind of neurological/psychological disease patient anyways. After my father had more or less lost his ability of emotional or social judgement of a given situation, some of them took advantage of him. Did I say I feel a sense of pity/empathy for their lack of education/intelligence and how they proved themselves as lesser of human beings?

On a personal level, I always wanted to prove my father that I could be somebody, as he had this amazing capacity to get under my skin on my shortcomings. Now when I believe I am moderately successful to prove a point to my dad, he played foul by leaving me alone.

Papa, I miss you! You meant everything to me. You are my identity and reason for what I am today! I still want to have that last argument where I can prove how wrong you were to judge me. If you could just be back with me one more time.

But i would let go, I need to let go. My father is now at peace after his years of struggle with this devastating disease. I am sure he is watching us and would be proud of the way how we coped up during his last years and after he was gone. I am sure this is exactly how he would have wanted us to be.

Initial Impression of China – April, 2011

A short and circular story of outsourcing

Does IT Security industry thrive in horizontal computer industry structure?

Business of Product Management Certifications in India

Non mobile Android devices and Security Challenges

Social Network – A movie about a lot (most) of us!

How we advertised PM Conclave (successfully) through Social Media? – Part – 3 (Final Part)

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: