Consumers downloading apps from the App Store have to rely on Apple’s approval process for vetting insecure applications, and even then there isn’t a guarantee that Apple hasn’t missed something crucial. Just last year hundreds of apps in the App Store had been found to be using private APIs to collect private user data, a violation of the App Review Guidelines. The recently launched public beta test of Will Strafach’s Verify.ly service looks to provide a “warning label for apps” to everyday consumers. The easiest way to think of Verify.ly is by using an analogy Strafach shared with me via email. If an app were to be considered as a book, competing services would simply be reading the ‘table of contents’ of the book, while Verify.ly would be reading everything front to back. When other services would be able to tell you if an app accesses your contacts and location, Verify.ly could tell you what part of your contacts the app uses (photo, first name, email, etc.) and when it’s accessing your location (foreground, background, or both).
I decided to jump in and take a first hand look at the service by seeing the report Verify.ly would provide for one of the biggest apps out right now, Pokémon GO. Looking at the report, we can see what kind of data access the app uses, and if it’s currently enforcing App Transport Security (something that will be required of all apps as of January 2017). According to the report, Pokémon GO uses the GPS location while the app is open (as expected), but it also doesn’t force encryption (ATS) when performing networking tasks. The latter may not be considered “vital” by everyday users, but just a few months ago third-party Snapchat apps were found to be potentially harvesting credentials or passing them insecurely. When an application requires sending credentials over the Internet for account creation and logins, encrypted network traffic should be seen as a minimum.
Verify.ly is provided as a free service for individual use, with a business model targeted at corporate/enterprise app development. For businesses in a BYOD or company-owned environment, Verify.ly can be used to validate that devices within the corporate environment are running securely. Many other companies providing MDM solutions rely on a whitelist or blacklist system when it comes to deciding what apps are acceptable to install. Unfortunately, none of that guarantees that a whitelisted app is as secure as it should be. Verify.ly can run bulk analysis on a set list of apps and then block access to apps that may induce undesired behaviors.
The other business model that Verify.ly runs on is ensuring that developed apps are secure before being released. Many companies rely on third-parties to develop white label software that will then be re-branded before being released into the App Store. Depending on contractual agreements, source code may not always be investigated or even looked at.
Strafach notes in a situation like this, the main company would be blamed if any insecurities arise, not the third-party company. Verify.ly would be able run a security audit on these applications and then test if it is a legitimate vulnerability or a false positive. Strafach explains something like an non-obfuscated API key for a service that app uses may be exposed allowing a nefarious user to begin using it. Verify.ly’s analysis would be able to find these instances and inform the company of the situation.
Strafach also had provided a list of security offending applications that are currently available in the App Store that each have otherwise unattended behavior. These include being able to read a list of the currently installed applications, and even going as far as attempting to install third-party apps without the user’s consent (this should no longer be possible for devices running iOS 8.x and higher).
Verify.ly is currently available as a public beta test, with a limited number of report views. To get a jumpstart on understanding what’s possible with the platform, I’ve compiled a list from the top 10 grossing apps in the US App Store below:
- Pokémon GO
- Mobile Strike
- Game of War – Fire Age
- Spotify Music
- Candy Crush Saga
- Clash of Clans
- HBO Now
- Hearthstone: Heroes of Warcraft
Author’s note: Before working at 9to5Mac, I had worked for an employer that had a primary focus in mobile software development for corporate companies with a strong focus on MDM solutions.