While it's great that a consumer app like Waze started offering traffic data to help first responders avoid traffic, emergency professionals have been using their own suite of apps for awhile. But how safe are they? The Department of Homeland Security initiated a pilot program to vet the security of 33 different apps provided by 20 developers -- and found that 32 of them had potential security and privacy concerns and more serious vulnerabilities.
Some of the privacy issues included required access to the device camera, contacts and SMS. But eighteen of the apps had 'critical flaws' including hard-coded credentials stored in binary, SSL certificate issues and susceptibility to data interception. The pilot project's staff alerted each appmaker, and Ten developers remediated their products thus far, while security and privacy issues were addressed in 14 of the apps.
It took most of the developers less than an hour to make those fixes, according to the DHS press release. Closing the vulnerabilities was as simple as removing old or unused code, enabling operating system protections and checking whether the apps actually needed some of the permissions they were requesting. Technically, this vetting pilot program was a success for finding vulnerabilities, but it's unclear how long they were in use before anyone caught wind of their security flaws.
All apps surveyed are listed in the public responder app marketplace AppComm, which is run by Association of Public-Safety Communications Officials (APCO), a participant in this pilot program.