Hi,
I'm acting as a consultant to a Financial Services startup which has commissioned a white-labelled version of a mobile app from a (well known) Open Banking-enabled app provider. They have recently released the first version of this application for us, which I installed on my own phone and immediately got the "Low Reputation App" alert. Under "details" it cites the following permissions required by the app as being problematic:
However when I raised this with the developer they said these permissions were required and they said this:
"My understanding is that the Sophos reputation is related to the fact that the app is new and has not been downloaded many times as yet. This will improve over time.
We haven’t come across this before with other apps, we suspect because most Android users don’t use anti virus and even fewer use Sophos. One of our developers tells me that he runs BitDefender on his own device and this has never flagged any of our apps.
Our regular pen tests check all the permissions and flag any which are a problem or are not required by the app."
I'm not entirely comfortable with that; the app is intended to help people who are below the typical wealth threshold for receiving personal 1:1 financial advice to better manage their money and finances, and uses Open Banking to connect to users' bank accounts. The reputational risk of anyone getting this warning in that context is too great. Please can someone let me know:
Many thanks,
Charles
Hi Charles,
Thanks for reaching out to the Sophos Community Forum.
If you wish to improve an app's reputation, you can submit a copy of the .apk file for Android or .ipa file for iOS using the following sample submission portal. - Submit a Sample
In the article Request an app reassessment to increase its reputation I was also able to find the following stated, explaining why an app may have a low reputation.
"A low reputation does not necessarily mean that the app is a threat, it just means that Sophos is unaware of the app or is yet to be analyzed."
To answer your questions:1. I would need to verify this with our development team, though I'm unsure if this can be shared publicly.2. Submitting a sample and requesting the app to be analyzed would be the best course of action. The app's behaviour can also be checked, and if nothing malicious or suspicious is found, the app's reputation will be increased.3. The permissions listed are commonly required but should not be a cause for concern, as many applications require these same permissions.4. This is correct, not many users do not choose to leverage antivirus on their mobile devices, though we expect this to change in the coming years and hope to provide a mature product for users when the need arises.
I hope this helps, though if you have any further questions, please feel free to reach out on this thread.
Many thanks - we will submit sample as recommended.