Flooded city

A Department of Homeland Security (DHS) pilot program uncovered several privacy and security-related issues in Android and iOS applications used by first responders on the scene of natural disasters and other emergency situations.

The pilot program consisted of carrying out security audits for 33 first responder apps developed by 20 app developers.

Three US government agencies worked together with experts from Kryptowire to review the apps. Auditors say they identified both privacy and security issues in the apps they tested.

32 of 33 apps affected by privacy issues

For example, 32 of the 33 apps featured various privacy issues, such as the app gaining access to permissions it did not need or used, such as the ability to send SMS messages, access the phone camera, and the device's contacts list.

Experts also found critical security issues in 18 apps, which they say were vulnerable to MitM (Man-in-the-Middle) attacks, mishandled SSL certificates, or used hardcoded credentials.

The audit took three months, and investigators said they notified all app developers. At the time of a DHS press release, published last week, 14 apps developed by ten developers received fixes for the reported issues.

Fixes took approximately one hour per app

"Most developers who fixed their app’s vulnerability(ies) reported investing approximately one hour on remediation," said the DHS in a statement. "Remediation steps included removing old or unused code, enabling built-in security provided by the operating system, and ensuring the functionality requested is necessary for operations."

According to the DHS, the pilot program was important because even if very few people use these apps, they are critical and need to function as designed at a time of crisis.

They need to receive and share critical information in real-time in a safe and secure manner, and they need to be hardened against security issues commonly exploited by mundane malware that may cause problems at a time when the apps are needed the most.

More information is available on the program's homepage. The test pilot was named "Securing Mobile Applications for First Responders." A 22-page PDF with the security audit's results is available here.