Why apps are crap and we need a better way

Have you noticed that most of the apps in the Apple and Google store have no real use or relevance in today’s business world?  Out of the 500,000 available apps, there are probably 20 that are any good to business.  Out of those 20, 90 percent of them are not real apps anyway.  Those functionality apps are really bookmarks for HTML5 web interfaces.

So why am I getting on my high horse about this today?  Because these apps aren’t just lacking in usefulness.  There are a number of problems with apps for Apple, Android, Blackberry and Microsoft.  Most of them can be broken down into three areas.

Security

When it comes to apps, security is mostly an afterthought—bolted on after the fact, or totally ignored.  No thought is given to securing the data on the device, or the information in transit.  Non-encrypted information going from the device back to the shopping cart displays credit card details, personal information and where you live.  All this information is gold to the cyber criminals.

In most cases, apps that are used to follow sporting teams and public figures, focusing on the team and tribe mentality, are designed to get people to impulse purchase when something happens in that tribe’s world.  A recent 4 Corners exposé showed how insecure some of these apps actually are.

I was recently in Malaysia, at one of the main shopping areas in Kuala Lumpur, and I was sitting at a Starbucks (which everyone perceives as free Wi-Fi with no password)—not using their Wi-Fi,  but still connected to my cellular account.  In walked these two guys, 25-ish, well-dressed.  They sat at a table in the corner, pulled out two laptops each and started to set them up.

Now being someone interested in cyber security, I was curious.  So when the table next to them was vacated I sauntered over and sat down.  I wish that I had been able to film what they were doing.  All four laptops were scanning the local Wi-Fi traffic and recording it all.  The amount of information they were gathering was mind-boggling.  Most of the traffic was being generated by insecure mobile apps.

Don’t forget the criminals are smart, smarter than we give them credit for.   When Android was first introduced in 2008, there was much fanfare and slapping of backs.  The criminals had had access to the software since the first release and had picked it apart and worked out the best way to exploit this system that they knew everyone was going to use.

So in 2008, when Android went live, so did the Google App Store.  In that store was a vast array of banking apps.  In the first month, 50,000 of those banking apps were downloaded, installed and used on smart devices all over the world.  Not one of those banking apps was real.  They were just malware dressed up to look like a banking app.  Now Google has improved their vetting process, but some malware still gets uploaded to the App Store.

Perceived functionality

In most cases, the functionality that you are looking for is not in the app alone.  The functionality that you require for business is a combination of what is on your laptop, desktop, server, cloud storage, tablet and phone.  The overall combination makes it all work.  Most of this functionality can be created without the addition of an app of any sort.

The World Wide Web has created a super-rich and vibrant environment that any business can use to punch above their weight.  Smart devices can do a lot for your business, but such a device does not need an app on it to make it work.

In most cases, apps like Facebook and LinkedIn are just HTML5 bookmarks that render the information from a certain site in a set way.  But using an app instead of your browser creates unique problems.  Most of the information you share with a given site is stored on the site itself, but there is still information contained on the smart device that can be hacked or stolen.  And don’t say “my Facebook account is not important.”  Ever heard of social engineering?  This is where the bad guys get their information concerning your likes and dislikes, where you work and who your friends are.  They can use your social media account to work out what your mother’s maiden name is, so they can hack your other online accounts and get even more information about you.

Who owns the information?

This is a problem that we are going to see more and more of.  Companies go out of business for myriad reasons, but having your information inside their business boundaries when it does is going to cause you major business problems.

Who owns that data, how does the business look at that question, and will the administrator look at it differently?  Come to that, will the business or administrator hold your data to ransom?  What did the terms and conditions say  about the data and the metadata?  (You did read the terms and conditions, didn’t you?)  How do you recover that data so that you can still function as a business?

These are all questions that you have to ask. 

There are other reasons for apps being crap in a business.  Every app should have due diligence applied to it.  Three criteria have to be met: Is it secure? Is the data stored anywhere? Who owns the data?  And of course, you have to ask yourself if the app will benefit the business.

In most cases, it won’t.  What about BYOD (bring your own device), jailbroken or non-secure devices, or people leaving your employ with the possibility of having your information for their next job?  Do you want your business information on a device that is insecure—or would you rather have it stored somewhere you can easily restrict access in an emergency?

So yes, apps are crap.  The functionality can be achieved with a better focus and better risk management.  But for most of them, the effort isn’t worth it.  Of the 45 apps on my smart devices, 10 percent of them get used every day.  It’s probably the same with yours.  When you’re in doubt about an app, you’re most likely better off without it.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply