How to get more out of election apps than you give
As the U.S. presidential election moves beyond the primaries, many people are using election apps to research everything from party politics to candidates’ platforms and positions.
Given the hotly contested primary season, election apps are just the latest window into how poorly app makers respect your privacy. What helps keep you safe when installing presidential-election apps also protects your personal data when installing other types of apps and when becoming inadvertently exposed to eavesdroppers.
Whether you’re downloading an app to research political positions or just to order lunch, here’s what experts advise doing to protect sensitive data ranging from email addresses and social-network usernames to phone numbers, locations, other installed apps, and device settings.
1. Check out user ratings.
Your first line of defense is the app store you use, says Joel Scambray, principal security evangelist at application security company Cigital.
At Google Play or Apple’s App Store, “every app will have received at least some level of scrutiny for basic privacy and security compliance,” he says. “There is some ongoing debate about the rigor Apple and Google use for this curation, but it does serve to set a minimum bar.”
Look for apps that have many reviews and few suspect user comments, Scambray adds. “Yes, it’s possible that a stealthy malicious app could get lots of good reviews, but it’s less likely than an app with one or two reviews,” he says. “Safety in numbers.”
2. Be wary of permissions.
On the major mobile platforms, apps are required to display any potential privacy- or security-impacting behaviors. If an app requests more information than you’re comfortable sharing, reconsider downloading it, advises Cynthia Chen, who authored an April report by cybersecurity firm Symantec about election app vulnerabilities. “Think of what the purpose of the app is, and only provide information that is necessary for the app to serve its function.”
Current versions of iOS and Android let you manually grant or revoke privileges from each app on your device, and many apps let you update privileges on a granular level. Beware apps that request access to your contacts, phone, camera, and settings, Scambray says.
“Access to contacts is a red flag, almost always signaling some company wanting to mine personal data to enhance value to other customers,” he says. “I don’t usually permit access to the other things either, unless the basic functionality of the app requires it.”
Few people read privacy policies, but those boring tracts of legalese often contain information about data the app collects, what it uses it for, and with whom it shares it, says Chris Eng, vice president of research at application security company Veracode. Review them carefully, and proceed with caution.
4. Think twice before signing in with other site credentials.
When you use an external account such as Facebook or Google to sign into a new app, you may be giving that app access to information such as the names, locations, and ages of your contacts. That’s according to an Electronic Frontier Foundation report highlighting the digital trail you might be leaving during the 2016 election.
“Think very carefully before using your social-media log-in to register for campaign sites or apps,” EFF researcher Dave Maass says. “Even if you’re happy to share your details with a candidate, your friends and family might not be as pleased to learn that you also shared your friends list.”
5. Turn off location data.
According to the Symantec report, some election-oriented apps with more than 1 million downloads lacking proper protections might be inadvertently exposing user data, including GPS coordinates, to eavesdroppers. Author Chen, who detailed researchers’ tests of 1,200 election-related Android apps for the report, recommends turning off location settings when you’re not using your GPS function.
“Beyond saving your battery, this will prevent apps from knowing your exact coordinates and will keep this data safe,” she says, adding that you should log on to secure Wi-Fi only, “back up your device frequently, and keep software up-to-date.”
6. Understand that even the best apps aren’t perfect.
Even the most-secure apps—ones that request reasonable permissions and treat your data fairly—aren’t perfect, Eng warns.
“Even if the app developer’s intentions are good, there is still a high likelihood that they have introduced security holes inadvertently,” he says. “For example, say the application processes donations or collects otherwise sensitive information from you. We’ve found that half of mobile apps don’t properly validate SSL/TLS [encryption] connections, which means that sensitive data could be subject to eavesdropping.”