Telephone applications are less protective of seniors – PIEUVRE.CA

Lise, 75, prepares her trip online and downloads applications to book flights and hotels. Does she know that a lot of data about her can be shared without her knowledge?

Seniors may be at greater risk when using applications on their cell phones, according to a recent study from Quebec. They are more likely to have their personal information visible in applications and are “less suspicious, making them a prime target for security and privacy attacks,” notes Pranay Kapoor, a student at Concordia University’s Department of Information Systems Engineering and lead author of the study.

These very useful apps process a lot of private data such as medical reports, live locations and personally identifiable information (PII).

Researchers tested 146 Android apps on the Google Play portal – from pillbox companion apps to dating apps for seniors. They found that two thirds (95) do not adequately protect personal data.

Their analysis highlights numerous security and confidentiality issues that could lead to the loss of private information but also allow malicious individuals to access user data.

“It is important to better understand how an elderly person’s medical data can be leaked from a pillbox companion app or how an attacker can exploit a low-level issue to carry out a specific attack against the user,” explains the researcher .

Nearly 15 apps allow full account takeover and nine apps have a false validation control – allowing some hackers free access to strip the database of their sensitive information.

Some applications sent the username, password and other important information in plain text. In three applications, an attacker could have obtained personal and sensitive information such as telephone number, home and work addresses. “Just by changing a few parameters,” Pranay Kapoor continues.

Researchers found a remote code entry vulnerability in a pillbox application. According to researchers, this issue could lead to a reduction in the functionality of the app. Apparently, “an attacker could change the warnings for the user’s pill, such as when to take it, frequency, quantity, etc.,” Mr. Kapoor explains.

A lack of distrust

But beyond technical issues, it is also the behavior of the people affected that causes problems.

“Older adults should trust less or no one at all when it comes to sharing their personal information on an electronic device,” emphasizes the researcher.

On the technical side, these are easily regulated problems, he says. Most of these problems could be fixed if developers only used basic security standards.

For example, developers could use HTTPS, which encrypts and secures data over the network, instead of HTTP, which transfers data over the network in plain text.

“And companies should put more effort into testing their applications because it is at this stage that most bugs/issues can be discovered,” the researcher adds.

It is up to universities, which he believes could enforce a mindset and culture of security and privacy in their computer science programs, to ensure that their students become responsible developers.

Raising cybersecurity awareness

The researcher was motivated by a personal incident: his grandmother was a victim of fraud. “When a user gives a “smartphone” to an elderly relative, he must explain to him not only how this device works, but also what dangers it poses. You need to explain what a phishing message looks like to avoid being scammed. And tell them that you shouldn’t share personal information online or in apps unless absolutely necessary. »

Even basic information like city or first name can be used by attackers to build a profile of their victim before carrying out an attack. “This is part of the reconnaissance phase before an attack. And users should only download apps from trusted sources: Google Play and Apple App Store are the two main trusted app stores,” the researcher adds.

The researchers hope their work will raise awareness among older people and their families about security and privacy risks. They also want it to incentivize developers to strengthen their defenses.

Careless designers

“No app passes security tests. It is incredible that so much data at all levels is not encrypted by the applications, which opens the door to embezzlement,” comments Hélène Pigot from the DOMUS laboratory in the Computer Science Department of the Faculty of Science at the University of Sherbrooke.

While one might think that developers are taking basic precautions, “more than 10 of these apps do not include precautions to protect user privacy and the risks of usurpation.” “It is disturbing to see that so many applications only store sensitive information in unencrypted form Send text messages,” the expert continued.

It highlights the accuracy of the methodology for defining vulnerabilities in applications, including on the phone itself, and for testing applications. “It is interesting to note that the authors of the article are aware of the ethical issues they raise. »

However, Hélène Pigot points out some disadvantages. “It is unfortunate that little is said about the applications that could not be tested due to an identification that the authors could not provide: would they then be more reliable?” The definitions of “security and privacy” are not specified, the shortcomings are, however, clearly stated. »

She also criticizes the tentative conclusion: “There is a real problem that the authors do not want to address.” They are simply taking stock of the situation. The next step would be to establish ways so that at least older people are informed and applications meet security standards. »

Subscribe to our extensive newsletter