Malware in the App Store and Google Play and the Potential for HealthKit
Access to apps through marketplaces like the App Store and Google Play are closely watched in order to try to make sure anything available on them is safe for your phone or tablet. As we know all too well though, hackers are always finding ways to circumvent security precautions companies put in place to keep our devices safe and secure in order to steal your data.
Imagine that a hacker creates a game and submits it to Apple for review. It's scanned and no security flags are raised, so the app becomes publicly available and people start downloading it. Little by little, updates are released, each one containing a small part of malware coding. A final update provides the key to combine all the previously uploaded parts and activate the malware.
What could a hacker access on your phone? Aside from spying on any future phone activity, a lot. Your iPhone has a clear text database, a log of everything you've ever typed on it. This data can be accessed by apps. If you're concerned about keylogging, please check out StrikeForce Technologies.
And did you know that Android's disclosure page scrolls? Most people don't, but when you accept their terms, you're giving permission for access to your contacts, email and other data. Apple won't send you details of what they're allowed to access unless you request it by mail. Snail mail.
What can you do to try to help keep your data safe? Don't type on an unencrypted keyboard. Don't use password vaults. Use two factor authentication whenever possible.
This is all the more alarming with Apple's HealthKit, which has the noble aim of creating health and fitness apps that share information with each other. The worry is that there's nothing in HealthKit from malfunctioning because of an app. Since it is designed to help apps share information, there's a strong concern about data leakage, not to mention fake data from being saved in the health store.
Here is a list of Apple Store requirements:
- “App Store Review Guidelines” document updated with specific rules for HealthKit Apps.
- Apps using the HealthKit framework that store users’ health information in iCloud will be rejected.
- Apps may not use user data gathered from the HealthKit API for advertising or other use-based data mining purposes.
And some additional best practices that should be considered:
- Do not cache health data locally in the App’s folder.
- Only read/write health data from/to the Health store.
- Avoid sending the user's health data to a server.
- Try to do most of the processing on the device.
- As a source App, consider checking if the device has a passcode set before recording sensitive health data.
- As a reader App, only request access to the types of data that are actually needed for the App’s functionality.
Here are resources for additional security: