Apps designed for older adults contain multiple security vulnerabilities, new Concordia research shows
Technology and mobile devices are most associated with younger users, but older adults are hardly missing out. According to the Pew Research Center, an estimated 61 per cent of older adults in the United States own a smartphone. This market is expected to grow as the population ages, and growing alongside it is a constellation of mobile apps specifically designed to be used by this demographic.
While those apps may help older users stay connected to loved ones, assist with health-related activities and boost their social lives, they are far from risk-free. As a new paper by Concordia researchers shows, some of the most popular apps made for older adults contain significant risks to their privacy and data.
The researchers tested 146 popular Android apps and found that 95 of them — about two-thirds — insufficiently protect users in one or more ways. It is a significant risk for a population that may not be aware of the dangers inherent in an increasingly connected world, they say.
“Many of these apps contain important health or medication information,” says the paper’s lead author, Pranay Kapoor, MSc 22. “An attacker could potentially use the weaknesses in these apps to change the medication or the alerts to take them. Even slight changes could have drastic effects.”
Master’s student Rohan Pagey, professor Mohammad Mannan and professor Amr Youssef, all from the Concordia Institute for Information Systems Engineering at the Gina Cody School of Engineering and Computer Science, co-authored the paper.
Easy hacks but easy fixes
The researchers downloaded the apps from Google Play Store. They analysed security and privacy issues by looking for personally identifiable information leakage, access control issues, improper authentication management, the presence of third-party trackers and other red flags.
They found that many apps did not properly authenticate server API endpoints, which could allow hackers access to sensitive personal data. Others had accounts that were found to be easily compromised; some were found to transmit users’ personal information unencrypted to either client-side servers or third-party domains. Dozens of other apps had multiple other vulnerabilities.
Once their analyses were complete, the researchers reached out to the developers of the apps found to have critical vulnerabilities to share their findings. Of the 35 developers they contacted, only seven responded, including two automated replies. The five others acknowledged the issues and forwarded them to their security teams.
“Many of these vulnerabilities can be mitigated if developers followed basic security best practices,” Kapoor says. “It should be relatively straightforward. Development teams should be more aware about security, but they are more worried about just delivering the product itself.”
Youssef adds that security is a non-functional requirement. “Prior to release, developers are testing functionality, but they may not be focusing on security.”
A personal project
Kapoor says an unwelcome personal experience motivated him to continue his work.
“While this research was in its initial stages, my grandmother fell victim to a scam,” he says. “That made it feel very real. Elderly people are being targeted because they are the ones who have the least amount of knowledge about new technologies. Often, a younger person will hand them a phone without explaining to them how the phone works. So elderly phone security is everyone’s responsibility, including the developers.’”
This study was supported by a grant from the Office of the Privacy Commissioner of Canada.
Read the cited paper: “Silver Surfers on the Tech Wave: Privacy Analysis of Android Apps for the Elderly”