‘Education applications are laden with security vulnerabilities’

How security holes can be resolved to protect students and teachers alike

Over the past year, social distancing and pandemic lockdowns have pushed how we work, learn and interact into the online world. Prior to the onset of the pandemic, the education technology field was already transforming how both students and teachers approached effective learning strategies. But when remote learning became the only option, we were forced to adapt and adopt technologies at a heightened speed to accommodate the new necessities brought on by COVID-19. As students have grown accustomed to using their laptops, phones and tablets in their remote learning environment, what about the applications that support their education?

Most of the world is moving towards a more digitised way of working – and the pandemic has only sped this process up. Digitisation makes many processes faster. It also offers greater access and flexibility via video streaming platforms. Children growing up in a technology-driven world are more familiar with the tools and resources available to them, while also learning about the subject matter at hand.

But the pandemic also brought plenty of challenges and complexity, as we are all very well aware. As schools began running remote learning programmes, the novel nature of such processes introduced a considerably larger threat landscape to contend with – if you’ll recall, for example, the ‘Zoom-bombing’ trend whereby unwelcome attendees gained access to classes for the sake of causing disruptions in a variety of ways. In response, Zoom (in addition to other teleconferencing providers) took measures to increase the security measures around the application.

Assessing the state of mobile app security

And this is simply one example of how societal adoption and increased dependence upon software applications have grown exponentially over the past year, along with the resulting security implications. To get a clearer picture, the Synopsys Cybersecurity Research Centre (CyRC) set out to examine over 3,000 popular Android mobile apps to assess the state of mobile application security during the pandemic. The study targeted the most downloaded and highest grossing applications across 18 categories, many of which have seen explosive growth.

The CyRC research focused on three core areas of mobile application security:

  • Vulnerabilities: the presence of known software vulnerabilities in the applications’ open source components
  • Information leakage: sensitive data such as private keys, tokens and passwords exposed in the application code
  • Mobile device permissions: applications requiring excessive access to mobile device data and features

The findings revealed that a majority of apps (63%) contain known security vulnerabilities. It also highlighted other pervasive security concerns including myriad potentially sensitive data exposed in the application code and the use of excessive mobile device permissions.

One concerning element to this research is that educational apps specifically were found to have the highest number of total vulnerabilities. Fortunately, these apps don’t fall within the top three categories of vulnerable applications without a solution. Nevertheless, it still raises questions regarding the security practices during the development and maintenance of these apps.

‘Vulnerable components’

Amongst the 3,335 total applications analysed, 159 were educational tools, 101 were tools for teachers and 158 were productivity tools. Over 50% of the apps within these categories contained vulnerable components. While educational apps have the highest number of total vulnerabilities of those the CyRC team assessed, as well as the highest percentage of vulnerabilities with a known exploit, there were also concerns regarding many apps’ permissions requests.

You see, it probably makes sense for a photo editing application to have permissions granting access to your photos or your camera, right? But this typically should not be the case for educational apps. In many cases, many permissions that apps request receive a ‘dangerous’ classification from Google if there’s no logical reasoning for these requests. Tools for teachers are unfortunately leading this list. One of the scanned applications was even requesting 11 permissions out of the 32 that are classified as dangerous.

Just think about how much sensitive personal information we trust to these apps. And as many of the vulnerabilities identified have known solutions, the question then becomes why aren’t they fixed? Unfortunately, there isn’t a simple answer that applies to every app developer responsible for building and maintaining these applications. Some development teams are simply unaware of the components they use or that vulnerabilities can emerge in those components over time. In some cases, they are aware about the risk, but don’t have the resources available to resolve them efficiently.

‘Be cautious’

The solutions to these problems exist primarily with the app developers themselves. Tools such as software composition analysis (SCA), allow development teams to identify all components in use within an application, offering a clear view of what’s actually in use. After all, you can’t secure what you don’t know you’re using. And at the end of the day, more secure, better applications can only be created when security is part of every phase of development, from design through implementation, testing and maintenance.

As a consumer of education apps and mobile apps in general, my advice would be to be cautious, use common sense and skepticism. Have a look at the permissions an app is requesting before you download it. If something seems off, trust your gut. Is the convenience of an app worth the risk associated with installing it? If the answer is ‘no’, then consider another option.


You might also like: Unified communications can help navigate COVID-19 uncertainty and beyond


 

Leave a Reply

Upcoming webinar

Welcome to a safer, smarter campus

How technology can help optimise spaces at universities

Tuesday, May 4

11AM (BST)