Every App is a Liability


I've been struggling to formulate a way of explaining this, even to tech-savvy folks. Here's the bottom line up front: every browser extension you install and every app you install present a risk to your privacy. There are two main ways this happens: through proprietary apps that are either sponsored by commercial entities (companies) or governments.

On the commercial side, building apps is expensive, so developers tend to work on apps that have some business plan. But charging for apps not only necessitates developers giving a cut to the app store they are part of (Google, Apple, etc.) but it also causes an order-of-magnitude dropoff in installs. So there's a huge motivation to find a way to keep apps free, while still making money. This leads to ads (at the benign end of the spectrum) and malware (at the malignant end of the spectrum).

Even developers that decide they want to build an app out of the for the good of the community may decide to sell that app to a company. The sale price will reflect the company's ability to leverage ads and malware to recoup the investment.

And even in cases where the developer has an extremely strong moral compass and decides not to do this, there is a risk when their app becomes popular enough that they will became a hacking target. So not only do you have to trust the developer, you also have to trust that the developer is consistently maintaining great security practices.

On the government side, there's a persistent and growing threat of malware built into the apps. Politico ran a story today about Egypt's COP27 summit app being malware:

The app is being promoted as a tool to help attendees navigate the event. But it risks giving the Egyptian government permission to read users' emails and messages. Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO's technical review of the application, and two of the outside experts.

This is extremely common: there's an app for everything now. Every sporting event, every conference, and every airline have dedicated apps so you can do what you did before, but now with an app. It's a dangerous trend, because the code of these apps is not available, and it's completely unclear what behaviors the app has that the users can't see.

My advice: only install apps that are either open-source and community-built, or apps that are absolutely necessary to accomplish your goal. The smaller you keep your digital footprint, the more you mitigate the risk that your privacy will be compromised.