A Cautionary Tale about Event-Specific APPs

You may have been offered event-specific APPs for either hobby events or for work? I know I have, and I also had been warned off of using them.

Recently saw yet another article outlining exploits done by Event-APPs:

https://www.schneier.com/blog/archives/2022/11/another-event-related-spyware-app.html

Another Event-Related Spyware App

Last month, we were warned not to install Qatar’s World Cup app because it was spyware. This month, it’s Egypt’s COP27 Summit app:

The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users’ emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts.

The app also provides Egypt’s Ministry of Communications and Information Technology, which created it, with other so-called backdoor privileges, or the ability to scan people’s devices.

On smartphones running Google’s Android software, it has permission to potentially listen into users’ conversations via the app, even when the device is in sleep mode, according to the three experts and POLITICO’s separate analysis. It can also track people’s locations via smartphone’s built-in GPS and Wi-Fi technologies, according to two of the analysts.

Now domestically one would think there shouldn’t be this sort of mischief going on, but having been on the committee side of significant events that offered their own APPs I was surprised when there wasn’t any process to verify what was being offered. None, zero, zip. Maybe someone informally looked at the claimed certification of the previously unknown APP provider, who of course was selected for the lowest expense as the main axis of selection, but then maybe not so much.

Technology and Exploit/Security Free-For-All?

  • Does the APP have bad aspects?
  • Did anyone with qualifications actually check it out?
  • Does it even fully uninstall after the event or does it leave residuals that either are exploits or could be exploited?
  • Who actually built the APP?
  • When users install it, does it install other programs or APPs?
  • Were they able to fund the APP from the sales of their product, or have they chosen to monetarize the APP by reselling data or allowing exploits?

I’ve had some of these Event-APPs on my iPhone and deleted them, because I needed them for my job.

Going forward I am leaning towards only installing them on a “burner phone” if I have to use an Event-APP, rather than allowing the safety-unverified Event-APP on my main phone.

Ditto with Hobby-APPs.

73

Steve
K9ZW

One thought on “A Cautionary Tale about Event-Specific APPs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: