An interview with Lukáš Štefanko on the Android App Watch project and its goals.
Lukáš, what is the reason behind creating the ESET Android App Watch?
Well, I see it as a logical step: for years, we’ve analyzed mobile applications, discovering tons of malware and security or privacy issues – but only ever wrote about malware. Which makes sense, as my employer, ESET, is in the business of protecting its customers from malware. However, I think that the public deserves to be warned about non-malware threats too.
I think that in a way, it’s more important than writing about malware.
Can you elaborate on that?
Malware research is necessary for us to follow the mobile malware scene and adapt our protective technologies to the latest developments. However, from our customers’ point of view, reading about malware is of secondary importance, since ESET technologies block all the malware described in our blogposts and research papers.
In other words, malware is a serious problem but there is a solution to it: security software.
Security and privacy issues in legitimate apps, on the other hand, don’t have such a clear solution. There are piles of apps developed without security or user privacy in mind. These apps put their users’ privacy or money at risk – pretty often, it’s a serious risk – and still, they don’t qualify as malware. If developers properly declare the functionality of their apps and they collect user data legitimately, we have no reason to flag them as Potentially Unwanted Applications, which is a milder category than malware.
But still, if an otherwise nice app fails to protect your data, bad guys can harvest it and misuse it for, say, emptying your bank account. Unfortunately, that is not a hypothetical example: there are thousands of such insecure apps on Google Play, posing a real threat to users.
What should users do to protect themselves?
In principle, they should stick with their basic security instincts. They should understand that in terms of risks, the digital world is no different from the physical one. And as for the knowledge of particular threats, they should learn – for example, by following the ESET Android App Watch blog.
Are users the only audience for your Android App Watch project?
Well, their security is our ultimate goal – but we want to speak also to developers and even investors. They should learn that security is important and ignoring it has consequences.
Last but not least, our Android App Watch project is not only about articles. Think of each of our articles as the tip of an iceberg. What you see is a summary of our findings. But before we publish them, we report them to the app’s developer, along with advice on how to fix them. Then we wait for the fix and evaluate it to see if it really solves the problem.
Hopefully, by also focusing on insecurely developed, yet legitimate apps in our research, we can help improve the security and privacy of even more Android users.