Hacking Humans 1.13.22
Ep 179 | 1.13.22

The only locks you should pick are your own.

Transcript

Tom Tovar: Never before has the consumer voice been so far on the side of the security objective.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Tom Tovar, who is CEO and co-creator of Appdome - we're going to be talking about the results of their recent consumer survey. 

Dave Bittner: All right, Joe. Let's jump in do some stories here. And mine - I'm going to use a tweet as a point of departure for a conversation I'm interested in having with you. So... 

Joe Carrigan: OK. 

Dave Bittner: ...There's someone on Twitter who goes by the handle Snipe the Sniper. And it's @SnipeTheSnipers. And they wrote, I just laughed so hard. This came from my kids middle school. And it says, dear HCS parents and guardians, today, a classroom assignment at an HCS school focused on email phishing tactics resulted in students sending fabricated emails to multiple persons within the school district, including HCS staff, students and/or parents. The emails... 

Joe Carrigan: (Laughter) This is great. 

(LAUGHTER) 

Dave Bittner: The emails, which may have focused on school-related matters, may lead people to think that they were created by HCS staff member. While the intention of the assignment may have been to instruct students not to be duped by phishing scams, an unintended result may be that the recipients of the emails who are unaware of the classroom assignment are misinformed. While you may not receive one of these emails, we wanted to make you aware of this occurrence. We ask our employees, students and parents who may have received a fabricated email to delete it immediately and not share it with others. Thank you for your understanding and cooperation. 

Joe Carrigan: (Laughter) This is awesome. 

(LAUGHTER) 

Joe Carrigan: Unintended consequences - that's the first thing that came to my mind. 

Dave Bittner: Yeah. 

Joe Carrigan: They use the term unintended result. 

Dave Bittner: (Laughter). 

Joe Carrigan: So let me see if I got this right. We're going to start by talking about phishing. And that's great. 

Dave Bittner: Right. So far so good, right? 

Joe Carrigan: Right. 

Dave Bittner: So far so good, yeah (laughter). 

Joe Carrigan: Absolutely. Absolutely. And as you - as well you should, right? And I completely empathize with this school district, these poor people... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Who didn't plan on this because, you know, they got a bunch of Joe Carrigans sitting in the class, you know, 13-year-old Joe Carrigans. 

(LAUGHTER) 

Dave Bittner: Smart, little know-it-alls who are looking to subvert the system (laughter)? 

Joe Carrigan: Right - who think hey, yeah, that would work. 

Dave Bittner: Yeah. 

Joe Carrigan: And these kids then go out and send off a bunch of phishing emails looking, you know, like - you know, it never occurred to me that I could impersonate somebody else. 

(LAUGHTER) 

Joe Carrigan: What a great idea. 

Dave Bittner: Well, so where I want to go with this is I want to talk about the overall - two things - I talk about the overall ethics of phishing simulations, right? 

Joe Carrigan: Right. 

Dave Bittner: But then also. At what point do we introduce this to kids? So let's start with the overall ethics. I mean, I think... 

Joe Carrigan: Right. 

Dave Bittner: ...This is something that has come up from time to time. We've seen situations where folks have sent out simulated phishing emails that perhaps went too far. You know... 

Joe Carrigan: Yes. We have seen that numerous times. 

Dave Bittner: Yeah, you know, sending out a - I don't know - an end - a message about an end-of-year bonus for all of your employees that turns out to be... 

Joe Carrigan: Right. Especially right after layoffs they've done that. 

Dave Bittner: Right. (Laughter) Right, exactly. And then everybody thinks, oh, great, I got a bonus. Turn out nope. Not only is there no bonus, but it was a phishing email, as well. And, of course, this is not a great way to win the trust and support of your employees. 

Joe Carrigan: Now, keep in mind, Dave, that an actual malicious actor would have no problem with using the lure of a bonus. 

Dave Bittner: Well, and that's that's part of where I want to go with this... 

Joe Carrigan: Right. 

Dave Bittner: ...Is because people have - I've also seen people push back on that, and they've said exactly what you just said, which is... 

Joe Carrigan: Right. 

Dave Bittner: ...The bad guys aren't going to hold back, so why should we? Why should we not make this a realistic situation. And what do you think about that, Joe? 

Joe Carrigan: I think that you have to strike a balance with this. You know, you create realistic situations. Let the bad guys do the truly evil stuff, right? Don't do the truly evil stuff yourself. Tell people about the truly evil stuff in your training. But when you're doing the actual phishing simulation, don't do something that would be like a bonus. Do something else, you know, something similar but not something that gets people's hopes up to the point where they're really excited about it. 

Dave Bittner: Right. 

Joe Carrigan: And also understand your audience, right? You know, the one story that comes to mind is the company that did that after they had laid people off. They then issued - set the phishing test with the lure of a bonus. That is ill-timed. 

Dave Bittner: Yeah. 

Joe Carrigan: As far as these these students, one of the things that I've done in the past - I haven't done it in a couple of years thanks to the pandemic - but I've worked with high school students in helping to - in introducing them to the concept of of penetration testing and what malicious actors do and things like that. And the very first thing that we always discuss in that class is ethics. It's the absolute first thing we talk about. And we talk about the consequences for people's actions. So that's how I would address the school system. I would say, look; before you even start talking about what bad guys do, you need to have the conversation that says, hey, this is what bad guys do. And in fact, doing this makes you a bad guy. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: And that's important to understand. 

Dave Bittner: Yeah. 

Joe Carrigan: You're not being harmless. You're actually doing something wrong and, possibly, criminal. 

Dave Bittner: Yeah. You know, it strikes me, too, that this was a middle school. 

Joe Carrigan: Right. 

Dave Bittner: And I wonder - is there an age-appropriateness issue here, you know? We don't let middle schoolers drive cars. We don't let (laughter) middle schoolers... 

Joe Carrigan: Right. 

Dave Bittner: ...Drink alcohol, you know? We don't let them... 

Joe Carrigan: Yeah, not in this country, anyway. 

Dave Bittner: Right. And so is that part of this as well? Do - you know, do you teach a bunch of middle schoolers how to pick locks, you know? Like, I don't know. 

Joe Carrigan: (Laughter) Do I teach a bunch of - maybe. (Laughter) I don't know. That's a good question. But... 

Dave Bittner: But you see where I'm going with this? 

Joe Carrigan: Yeah. But... 

Dave Bittner: Yeah. Is there - are they mature enough to handle the responsibility that this knowledge creates? 

Joe Carrigan: Right. If I'm going to teach them, for example - in your example - how to pick locks, the very first thing I'm going to say is, the only locks that you're ever going to be allowed to pick are your locks. You go picking someone else's locks - guess what? - you're committing a crime. And you're subject to arrest and prosecution. And let me tell you, that really sucks. That whole process sucks. And telling people, you know, young people, that they're going to be - you know, I don't know. But I don't want to use the word scare, but rather inform them of how much their life is going to change should law enforcement get involved in their lives. That is - I think that's a pretty good deterrent. 

Dave Bittner: Yeah. 

Joe Carrigan: But when you're talking - your question is a very good one. At what point in time do we do this? Well, I think if these students have an email account, they need to be trained on what malicious actors are going to do because they're going to be targeted as well. So if you're going to say, well, we shouldn't train students on phishing tactics because we're afraid they're going to turn around and use the phishing tactics, then your only answer then is to say, we're not going to give students email addresses. We're going to give them some other means of communication with their faculty. 

Dave Bittner: Yeah. The other thing that strikes me is that - we use the word inoculation a lot on this show. 

Joe Carrigan: Right. Yep. 

Dave Bittner: And I think that's a good example of if you use a (laughter) less powerful message... 

Joe Carrigan: Right. 

Dave Bittner: ...One that doesn't trigger someone's emotions the way that a bonus or a layoff or something like that would... 

Joe Carrigan: Right. 

Dave Bittner: ...You're training their mind to think about these things in the same way that a vaccine trains your immune system without actually giving you the disease, you know? 

Joe Carrigan: Right. Exactly. That's a... 

Dave Bittner: You're using a less serious thing to increase your brain's awareness to be on the lookout for these sorts of things. So it really - I think inoculation is a really good metaphor here. 

Joe Carrigan: Yeah. I think it's a great analogy. It's... 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Exactly. I think you're 100% correct there. 

Dave Bittner: Yeah. All right. Well, there's a - we'll have a link to the tweet here. It's certainly worth a chuckle here. 

Joe Carrigan: Right. 

Dave Bittner: But I thought it could bring us to an interesting conversation, and it did. 

Joe Carrigan: (Laughter). 

Dave Bittner: Joe, what do you have for us? 

Joe Carrigan: Dave, I have two stories this week. They're very different stories, which is kind of interesting. I thought they were both kind of short. But they were both very interesting. One of the things I say frequently in this field is if you're a professional in this field, one of the easiest things to do is to look like Nostradamus, right? 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: You just say, here's what's - here's something bad that's going to happen. And sure enough, eventually, it happens. And you go, see? I said that was going to happen. 

Dave Bittner: Right. 

Joe Carrigan: And you look like a smart guy. And we've had this on before, this kind of thing. But, look; this story comes from Click2Houston.com, which is Channel 2 in Houston, Texas. And the title of the story is "QR code scammers hitting on-street parking in Texas cities - including Houston, officials say; This is what you need to know." So what somebody has done - they have a great picture of this on here. There are parking - I don't know - stanchions, you know, systems that you... 

Dave Bittner: Yeah. 

Joe Carrigan: It's, like, very similar to Baltimore City. You park in a place - there's no longer meters around that you pay for. So you walk up to the - to this kiosk sitting there. That's the word I'm looking for, kiosk. And this kiosk is automated. And you pay via phone or via your app, your Houston parking app. Or you pay via credit card at the kiosk. Or you pay via cash or coin. But somebody has stuck a QR code just on the kiosk - right? - right where it says, pay by parking app or pay by app parking, right? And when you scan this QR code, it takes you to a malicious site that just takes your money. 

Dave Bittner: (Laughter) That's right. Right. 

Joe Carrigan: That's the scam. 

Dave Bittner: Yeah. 

Joe Carrigan: But the QR code is there. And Houston - the city of Houston is letting people know, we don't accept payment via this QR code. There are four ways to pay. There is - you can use cash, bills, coins, credit cards or our app. That's it. Interesting. Don't scan the QR code. So they don't even have a QR code that they're covering up with this malicious QR code. They're just sticking a malicious QR code on the parking kiosk. That's the scam. 

Dave Bittner: Yeah, something I wondered about because I - when I - often, when I go to buy gas for my car, you know, I've spoken before about how I like to use the Exxon app... 

Joe Carrigan: Right. 

Dave Bittner: ...Because it is secure. It allows me to use Apple Pay, which is also secure. So it just gets me away from the risk of a credit card skimmer at the pump. 

Joe Carrigan: Right. 

Dave Bittner: And - but they are - on the pumps, they have QR codes that say, sign up for this. And every time I see that, I think to myself how easy it would be for somebody to just print some stickers, stick them on top of the existing ones... 

Joe Carrigan: Yep. 

Dave Bittner: ...And profit. 

Joe Carrigan: Yep, absolutely. 

Dave Bittner: Yeah. 

Joe Carrigan: That's what it is. 

Dave Bittner: Yeah. 

Joe Carrigan: So I wanted to bring that to everyone's attention. It seems like an important scam going on in Houston. It's going to spread. I guarantee you we're going to see this in Baltimore very soon. Any place that has parking kiosks, you're going to see this. And once again, I also pick this story because, Dave, I was right. 

Dave Bittner: (Laughter) Most importantly, Joe was right. 

Joe Carrigan: Most importantly. Right. 

Dave Bittner: Right. OK. 

Joe Carrigan: Now, my other story is a little bit more involved, and it kind of has an interesting twist to it. So the FBI arrested this guy Filippo Bernardini, who is an Italian citizen who lives in the U.K. They picked him up as he landed at JFK Airport in New York City. And he is a rights coordinator with Simon and Schuster U.K. Now, Simon and Schuster U.K. is a publisher, a book publisher. And, you know, they're all over the world, but they also have a U.K. office. And he works there... 

Dave Bittner: Right. 

Joe Carrigan: ...As a rights coordinator, which is very, very interesting because what this guy is accused of doing is setting up 160 fake websites imitating publishing agents to have authors send early copies of manuscripts for their books to him. And that is what he's done. And he's done things like the domain typo squatting, where - you know, or similar-looking domains. In other words, he's placed - like, if you were going to imitate Simon and Schuster, instead of being S-I-M-O-N, it would be S-I-R-N-O-N, right? I don't know that he did this to Simon and Schuster, but he - that's the specific example that is listed in these articles. 

Joe Carrigan: So according to The New York Times, these thefts occurred by impersonating those in the publishing field. He bought the fake email accounts, or he had fake email accounts, rather. And he targeted authors, editors and literary agents to gain access to these manuscripts, these unpublished books. The indictment accuses Bernardini of impersonating, defrauding and attempting to defraud hundreds of individuals over this five-year period. The feds picked him up as he touched down in New York City, so he's off the streets. I don't know what his bail situation is. But, you know, what was he going to do with these manuscripts? I understand that there's probably a good market on - a good dark market for maybe fiction books that are out there. And that's some of the things - some of the people he was targeting. 

Dave Bittner: Yeah. 

Joe Carrigan: What do you think, Dave? 

Dave Bittner: Well, in the coverage I've seen of this - I saw author Kim Zetter was writing about this. I think she had a story about this earlier and had said that they weren't really sure what his motive is. Like, he wasn't out there selling them, as far as they can tell. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. So it's unclear. The coverage I've seen says it's unclear what he was really after. It may have just been for the thrill of it, but I don't know. Or - yeah, hard to say. But fraud is fraud, right? So... 

Joe Carrigan: Right. 

Dave Bittner: So, yeah, they got him. 

Joe Carrigan: Yeah - interesting. I don't know. I don't understand why he would be after this. Simon and Schuster did issue a statement distancing themselves from him, saying... 

Dave Bittner: Yeah. 

Joe Carrigan: We take this seriously. We take intellectual property seriously. 

Dave Bittner: Sure. 

Joe Carrigan: You know, there's a little thing in the back of my mind that says, I wonder if he was doing this for the people he worked for. But, you know, there's no evidence of that. And Simon and Schuster is coming out, saying, no, no, no. We don't do that, which... 

Dave Bittner: Right. 

Joe Carrigan: ...You would expect, right? 

Dave Bittner: Yeah. Yeah. I mean, could it have given him some professional advantage to know what was coming... 

Joe Carrigan: Right. 

Dave Bittner: ...In his line of work? Perhaps. 

Joe Carrigan: Yeah. Yeah. 

Dave Bittner: That's interesting. 

Joe Carrigan: Maybe that's right. Maybe he was - you know, he knew that - if he knew that something was good, then he'd pursue it more vigorously. And, you know, it would allow him - if he was operating alone, this would certainly allow him to focus his effort on high-value targets or high-value opportunities, rather. 

Dave Bittner: Yeah - interesting. 

Joe Carrigan: Yeah. 

Dave Bittner: All right. Well, we will have a link to both of your stories in the show notes. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day is a message that purports to come from the United States Postal Service. It was sent to us by a listener named William (ph), who writes, I'll bet this nets a lot of victims this time of year. He sent this back before the holiday season was over. Note that there is no USPS tracking number, as they apparently want me to open the attachment - seriously, not happening. I did not include the attachment but expect it may be some kind of malware. If someone were expecting or missing a delivery, I suspect this might work very well on them. And I would agree with William on this. Dave... 

Dave Bittner: Yeah. 

Joe Carrigan: Why don't you go ahead and read the actual message that comes from - allegedly comes - does not come at all from the United States Postal Service? 

Dave Bittner: Well, it says, greetings. Package delivery attempt failed on December 23, 2021, 15:57 hours. The delivery attempt was unsuccessful because no one was present at the delivery address, so this notice has been automatically sent. You can arrange redelivery by contacting us with your postal reference number found on the attached receipt copy in attachments. In case the item is not scheduled for redelivery in 14 days, it is going to be returned to the sender. 

Joe Carrigan: Right. And then there is an attachment there listed, and it says receipt.img. Now, Dave, this is why I wanted to talk about this - because William didn't send us the the actual attachment. 

Dave Bittner: OK. 

Joe Carrigan: But we've seen these before, and it's been a while since we talked about it. So I wanted to talk about the .img file. If you were to guess at the type of file an .img file is, what would you think it was? 

Dave Bittner: I would think it's an image file. 

Joe Carrigan: An image file. So, like, when you think image, do you think picture? 

Dave Bittner: Yeah. I think, like, a .jpg or a .gif or something like that. Sure. 

Joe Carrigan: Right. I'll bet that's what a lot of people think because it does mean image. But it does not mean picture. So in - I know that we are targeted to a non-technical audience as well as a technical audience, so the technical listeners are going to get bored by this. But when you have an image file, .img file, that is actually a disk image. 

Dave Bittner: Oh. 

Joe Carrigan: It is an image of, like, a hard drive or a hard drive partition or a CD or something. All of those things can be represented as virtual things. And when you want a virtual hard drive, that can be represented as a .img file. It is not a picture. It's actually a virtual hard drive. I've seen these before. I've actually opened one of them up and mounted it. What happens when you open it up and mount it is there is a malicious file inside there. It's usually a .pdf with some kind of malicious function. I didn't see this particular one, but I would love to get a copy of it. But, William, don't send it to us because it has to go through the CyberWire's emailing system. 

Dave Bittner: Is auto execute still a thing on Windows machines these days - like, you mount a volume, and something can auto execute? Or is that gone by the wayside? 

Joe Carrigan: You know what? I don't know. I don't know. That's an excellent question. I know it can work with USB keys. 

Dave Bittner: Yeah. 

Joe Carrigan: So I imagine it's still out there. Yeah. 

Dave Bittner: OK. 

Joe Carrigan: That's a good question. I should look into it. You know, Dave, you and I have talked about this before as well. We don't get down into the technical weeds like we used to, right? 

Dave Bittner: No, we do not. No. 

Joe Carrigan: I miss the weeds sometimes. 

Dave Bittner: Who has time for that? 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's a younger person's job. 

Dave Bittner: Right, right, right. We hire people to do that for us. 

Joe Carrigan: Right - exactly, yeah. 

Dave Bittner: Right. Right. 

Joe Carrigan: I don't understand things anymore. 

Dave Bittner: No. Get me - quick. Get us - get me a young person. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: This scares me. 

Dave Bittner: Right. That's why I have kids, you know? 

Joe Carrigan: Right. 

Dave Bittner: They have to figure out how to record that show (laughter). 

Joe Carrigan: Yeah, exactly. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: So if you get a pic - if you get an image like this or you get a message like this, No. 1, understand it's a scam. These are very popular, especially around the holidays. And if you see a .img file, know that that is not a picture. That is a hard drive image. And if you double-click on it, you will mount a hard drive onto your system, a virtual hard drive that could have anything on it. 

Dave Bittner: Right. 

Joe Carrigan: Anything. 

Dave Bittner: Right. All right. All right. Well, our thanks to our listener William for sending that in. We do appreciate it. We would love to hear from you. If you have something that you would like us to read for a Catch of the Day or a story you'd like us to consider, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: I recently had the pleasure of speaking with Tom Tovar. He is the CEO and co-creator of an organization called AppDome. And they recently did a consumer survey which was focused on mobile application security, and they really got some interesting results. Here's my conversation with Tom Tovar. 

Tom Tovar: We really wanted to give insight to security professionals, CISOs and cybersecurity committees within boards of directors - real insight into what the consumer user wants from security in their mobile app experience. So we wanted to give people - open the doors and shed light on the consumer's expectations around the protections needed in every mobile app. 

Dave Bittner: Yeah. I have to say looking through the report myself, it was interesting to see how many unexpected results that you gathered here. Why don't we go through those together? In the report here, you all have it laid out as a series of myths. That might be a good way for us to go through it. What stood out to you? 

Tom Tovar: Yeah, a number of things. So probably the No. 1 thing I would say is never before has the consumer voice been so far on that side of the security objective. I suspect that that has something to do with COVID. It also has a lot to do with how we're using mobile apps today. They're being so integrated into our lives and our daily routine. But that was the No. 1 thing - that the impressions and the expectations of the consumer were very strong, very sophisticated, very clear that, in all cases, all those of us who are consumers of mobile apps, users of mobile apps - we have a high expectation of the security for each mobile experience that we undertake today. So that was probably the biggest one for me - just truly eye-opening. 

Dave Bittner: Yeah. It's striking to me because I think there is this perception that a lot of folks have sort of surrendered to the EULA, you know, that we click through because we want to use an app. And most of us, you know, don't have a really deep understanding of the things we've agreed to. But the results that you all have gathered here show that that's not necessarily the case. 

Tom Tovar: Absolutely. I think you've hit it right on the head. You know, we used to live in this world where people were willing to trade off greater feature sets or more functionality for security on the theory that, you know, use and functionality outweighs the security imperative. But consumers don't feel that way. Consumers - the survey - after talking to and surveying over 10,000 mobile consumers globally, it became apparent that all of us expect security to be a core feature of every mobile app experience. There's - that trade-off just really doesn't exist anymore. But people just want it to be a core part of how they interact with, use, transact, share and experience mobile apps. 

Dave Bittner: What is your sense for how users are evaluating that? How do they judge whether an app that they're about to engage with is secure? 

Tom Tovar: Yeah. Well, very interesting part of the survey for me was we asked a lot of questions around hypothetical threats or actual threats. And we tried to judge and we tried to get data on the reaction of the consumer to each of those scenarios. So, for example, we compared the consumer response to the potential of being hacked or breached or the rumor of some - of being hacked or breached versus actually being hacked or breached in using a mobile app. And what we found is the reaction is equally strong in both cases. So it really doesn't matter whether the threat is theoretical or the threat is actual. Whether the hack is possible or whether it's real, consumers had a very strong reaction to not being protected in their mobile apps. In fact, somewhere between 73% and 74% said they would abandon an application, stop using an application, in either of those scenarios. And by the same token, about 45% to 46% said they would engage in telling their friends likewise to stop using the app. So the percentages were pretty high and shed light on the fact that, you know, the consumers, they bring to the mobile experience are very, very, very high standard of - high standard of care. 

Dave Bittner: Interesting to me some of the information you gathered when it came to different verticals of apps. For example, you know, the - I think we all think that our banking apps are going to be secure out of the box. And, you know, that's an expectation and certainly something that consumers demand. But interesting to me that you all in the information gathered here showed that it's not just banking apps. It's across the spectrum of apps that people have this high expectation these days. 

Tom Tovar: Yeah, that was one of the very surprising parts of the survey for me as well. Clearly, mobile banking consistently and globally set the standard for security among consumers. Consumers universally said that mobile banking apps should have the highest level of security. But geographically, demographically and otherwise, there were some other standouts that in some cases outpaced mobile banking. So for example in Latin America, e-wallet, money transfer and payment applications were actually ranked higher than mobile banking as the class of app that should have the highest level of security. In other geographies, health care ranked - health care applications ranked highest in terms of consumers' expectations of security. 

Tom Tovar: Universally, however, probably the biggest statistic that showed up is that if you look at applications with transactional data and you look at applications with PII data - personally identifiable information - consumers tended to believe that all applications that had these class of data ought to have the highest level of security equally. So there were some very interesting highlights in geographies and demographics. But the big, big, big trend was basically all apps that have these classes of data have the highest level of security. So not a lot outs if you're building a mobile app. There's not a lot of areas where you can say, yeah, well, my app - you know, my app doesn't really need to X, Y, Z. The answer is it does. You know, it does need to have security, and the consumers expect that. 

Dave Bittner: Do you have any sense for the degree to which users put their trust in the app stores themselves? For example, you know, we hear about, you know, Apple having their walled garden of their app store, but over on the Android side, it's a little more open. Does that come into play? 

Tom Tovar: Well, you know, I'm an Apple user, an Apple developer, and I love all things Apple. And I always had this belief that as an Apple user, you know, we tend to be the more conservative, perhaps the more, you know, safe and the Android users, you know, they're more, you know, out there. But the data doesn't show that. The data says that we're all the same. I mean, whether you're an Android user or an iOS user, your expectations of security and security for the mobile app is the same. I mean, the data that came back was not statistically significant between those platforms. So pretty much across any dimension, whether you're talking about malware or data theft, credential theft, network level attacks and what have you, the data showed just almost identical consistency between the expectations of Android users and the expectations of iOS users to these classes of threats. 

Tom Tovar: So there really wasn't that big thing - that big delta between the two. The other thing I'd say is the users universally - consumers universally - put the onus on the developer. You know, the global average that we saw is about 63% of consumers said that the duty to protect is really on the developer, on the publisher of the application. And when we asked questions about the App Store, et cetera, they didn't really - there wasn't a lot - there was minuscule responses to that. So most of the responsibility, at least from the consumer's perspective, is on the developer, is on the publisher of the application to ensure that the experience - the mobile experience - is safe, is protected, is secure. And that was just - that was absolutely clear in the survey data. 

Dave Bittner: So what are your recommendations here? What are the take-homes? For folks who are out there developing these apps, I mean, is it time for them to recalibrate some of their expectations? 

Tom Tovar: Yeah, there's some really great - you know, obviously, the mobile development community is very rich and diverse and complex. There are some really amazing people out there doing some amazing work to ensure the best security is delivered as part of every release. 

Tom Tovar: I think where the survey really comes into play is for the security professionals and the CISOs who are doing the great work to advocate for better security for the user, advocate for integrated security options in the mobile app experience. And this survey data really helps them make that case in their own organizations, to break through some of these myths, you know, and get the resources and priority they need to make mobile app security a priority for their business because the consumer, you know, is so clear in wanting that. 

Dave Bittner: So in the survey, did you get any sense for what types of vulnerabilities are most important to users? 

Tom Tovar: Yeah, we did. We spent a lot of the survey on that specific question. First of all, consumers are wildly sophisticated about threats, which is amazing to me - very clearly understood the difference between, you know, different kinds of threats. 

Tom Tovar: Consumers tend to look at their mobile app experience as something that's very personal to them. So their assessment of threats and their prioritization of threats tends to be more local than remote than - so they tend to ignore - not ignore, but they tend to focus more on things like malware on the device, hacking of the app that they use, data loss from an on-device threat as their No. 1 threat. They don't tend to prioritize things like cloud-level breaches or network-level breaches, things of that nature because they're - they tend to look specifically at the apps that they use. 

Tom Tovar: So I think if you're a security professional, you really have to reprioritize your efforts to the client, to the mobile client itself, the actually (ph) application and make sure that you're delivering what the consumer wants, the consumer demands, which is in-app protections of their mobile experience equal and maybe even above some of the other protections that you're looking at, which would tend to protect the network or the cloud systems. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: Dave, there is nothing better than unexpected survey results. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Right? I'm working on a survey right now, and I have expectations for that survey, but I'm really looking forward to see what the results are. 

Joe Carrigan: Users expect security, especially - this is on - he is focusing on the mobile app space. And users expect security. That's very encouraging. But I wonder, does that mean that users just want more security or do they assume that it's present in their applications? It's - I would like to know the difference between those two things or if that's something we can even measure. I don't know. I don't know how you'd structure those survey questions. I'd have to think about that for a day or two. 

Joe Carrigan: Some good results here - almost three-quarters of those surveyed said they would abandon an application if they thought a breach was possible, which is great. If they even heard a rumor that there was a data breach, they'd just shut down using the application, uninstall it and be done with it. And about half the respondents said they would spread the word about it. That's great news. That is - I am very encouraged by hearing that. 

Joe Carrigan: And what's interesting is it's not just banking apps. People are thinking about this for all kinds of different applications. And I thought it was very interesting the geographical differences. It doesn't really surprise me. The fact that in Latin America e-wallet and money-transfer apps are more important than banking apps - that kind of makes sense to me. You know, Latin America may not be as developed as it is here in the United States. It would be - it's much easier for someone to use an e-wallet or a mobile - and a money-transfer app than it is for someone to go to a bank which may be pretty far away. 

Dave Bittner: Right. 

Joe Carrigan: Your phone is right there, right? 

Dave Bittner: Right. 

Joe Carrigan: So it's great. I think it's really interesting that some places - geographic places rated dating apps as more important than even banking apps. That suggests to me a state of security awareness that is way above what I would have expected. You know, dating apps are a real issue, I think, and people - yeah. I mean, they're great because they can connect you with somebody that you may really hit it off with. And I'm not, you know, dissing dating apps here. 

Dave Bittner: Yeah. 

Joe Carrigan: But there is an inherent risk with them. 

Dave Bittner: Sure. 

Joe Carrigan: You run the risk of romance scams and worse on dating apps. So I'm glad to see that some people really take that seriously. I think that's really important. Keeping your data private until you decide that you're going to meet somebody in a public place - that's the way to go. Any apps with transaction data and PII should have the highest level of security. That's an interesting finding. I wouldn't have thought that people were that concerned about their PII. I think I'm also surprised by these survey results. 

Joe Carrigan: Here's something else that's really interesting and encouraging. Customers put the onus of developing - of the security on the app developers and publishers, not so much on the app stores, which I think is - it shows a part of - you know, an awareness on the part of the general public that I would not have assumed was there. Think about this from the user's perspective. I go to the App Store, and there's the app. My interface is the App Store, right? And I'm going to download another interface. And people are - there's a high percentage of people that are perceptive enough to understand the difference between that. And, you know, I mean, I don't want to sound like - you know, like the arrogant technical guy going, wow, you guys are really smart. 

(LAUGHTER) 

Joe Carrigan: But, you know, I can absolutely understand how people would not be able to make that differentiation - right? - that they would be looking at this as either Google or Apple's responsibility in the app stores. But what's interesting is that Apple and Android - or Google in the Android store - both these iOS and Android operating systems have taken taking steps to assure user security and privacy. One of the things I talked about a couple years ago was an Omron app. Omron makes, like, home medical devices, like my blood pressure monitor that's just behind me. My blood pressure monitor is Bluetooth-connectable. So I said, hey, that's cool. And this was a couple of years ago when I got it. And I went, and I downloaded the app. And the Google - the operating system, the Android operating system said, here's a list of the permissions that the app wants to have access to. And it was essentially everything, right? And I was like, nope. Uninstall. 

Dave Bittner: (Laughter) Right, right. Not worth it. 

Joe Carrigan: But as a test, I wanted to see if Omron had secured their - or changed their security posture or their privacy policy here, right? I checked the app permissions in my Android. Now, this is on the latest version of Android whatever number it is right now. I can't remember if it's 11 or 12 or whatever. But it's - you know, like I said, Dave, I'm not down in the weeds anymore. 

Dave Bittner: (Laughter). 

Joe Carrigan: But the only allowed permission is nearby devices. And I'm like, wow, Omron really changed their game here. And then I clicked on the permissions button, and I see no, Omron did not change their game. Android changed their game because there's a list of - listen to the list of things that Android has said, no, you're not going to have access to without the user's permission. Ready? Body sensors. OK, maybe. That's the only maybe. Physical activity. That's also another maybe. But here's the list of things - oh, files and media. Probably, right? You need that to write the things. But here's a list of things that it also asks for access to - call logs, camera, contacts, location, microphone, phone and SMS. It asks for everything still. 

Dave Bittner: Yeah. 

Joe Carrigan: Omron is still asking for everything. But Android is stepping in and going, no, you're not getting anything but the nearby devices. And that makes sense to me. That's a good security posture. That's kind of what I'm talking about here with the - you know, with the consumer understanding here. I had to delve down into this to take a look at and see what was going on. And the app developer, Omron, has absolutely no concerns with the user's privacy. They're willing to go after every piece of data that they really don't need. What do they need my call logs for, Dave? I'm looking for a blood pressure tracker. That's what I'm looking for. Why do they need access to my SMS messages? 

Dave Bittner: I'm guessing they sell it. 

Joe Carrigan: Yeah, exactly. So iOS started this first, and then Android came along with with limiting these permissions on these apps that are intrusive like this. I would really like to see Omron go ahead and and and change their policy, change the information that they're using. I think that's - I really have a problem with this, with the amount of information that they collect or attempt to collect on this device. 

Dave Bittner: Yeah. It'd be nice also to see if that could become a competitive advantage and if you had - while you were shopping for a device, if there were some sort of a privacy nutrition label that said, you know, this is what we collect. This is what we don't collect. 

Joe Carrigan: Yeah. 

Dave Bittner: So before you make that purchase, you're able to evaluate. If you're someone for whom that privacy is important, you could - that could be part of your purchasing process. 

Joe Carrigan: Right. But there's no FDA for devices, right? The FDA is the one that regulates that and says what you're labeling is going to look like, the Food and Drug Administration. 

Dave Bittner: Yeah. 

Joe Carrigan: Or the Department of Agriculture. 

Dave Bittner: Or maybe the Federal Trade Commission. Yeah. 

Joe Carrigan: Yeah. Somebody needs to be on that from a regulatory standpoint. 

Dave Bittner: Yeah, yeah. All right. Well, again, our thanks to Tom Tovar from Appdome for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.