How to prevent "Low Reputation App" warning (for a commissioned mobile app)

Question

Hi, 
 I'm acting as a consultant to a Financial Services startup which has commissioned a white-labelled version of a mobile app from a (well known) Open Banking-enabled app provider. They have recently released the first version of this application for us, which I installed on my own phone and immediately got the "Low Reputation App" alert. Under "details" it cites the following permissions required by the app as being problematic: 
 
 Read storage 
 Write storage 
 Starts at device start 
 Active on locked device 
 
 However when I raised this with the developer they said these permissions were required and they said this: 
 "My understanding is that the Sophos reputation is related to the fact that the app is new and has not been downloaded many times as yet. This will improve over time. 
 We haven&rsquo;t come across this before with other apps, we suspect because most Android users don&rsquo;t use anti virus and even fewer use Sophos. One of our developers tells me that he runs BitDefender on his own device and this has never flagged any of our apps. 
 Our regular pen tests check all the permissions and flag any which are a problem or are not required by the app." 
 I'm not entirely comfortable with that; the app is intended to help people who are below the typical wealth threshold for receiving personal 1:1 financial advice to better manage their money and finances, and uses Open Banking to connect to users' bank accounts. The reputational risk of anyone getting this warning in that context is too great. Please can someone let me know: 
 
 Whether indeed this is due to the app being new, and if so how many times it needs to be downloaded before this warning goes away? Presumably it would need to be downloaded by people who have InterceptX on their phones in order for the stats to improve? 
 Whether there is anything we or the app developer can do proactively to whitelist this app so it does not get flagged? 
 Whether the four permissions listed above would be commonly required / typical for an app designed to use open banking and help you manage your finances? 
 Whether the statement " most Android users don&rsquo;t use anti virus and even fewer use Sophos " is valid? 
 
 Many thanks, 
 Charles

Qoosh · Accepted Answer

Hi Charles, 
 Thanks for reaching out to the Sophos Community Forum. 
 If you wish to improve an app's reputation, you can submit a copy of the .apk file for Android or .ipa file for iOS using the following sample submission portal. - Submit a Sample 
 In the article Request an app reassessment to increase its reputation I was also able to find the following stated, explaining why an app may have a low reputation. 
 "A low reputation does not necessarily mean that the app is a threat, it just means that Sophos is unaware of the app or is yet to be analyzed." 
 To answer your questions: 1. I would need to verify this with our development team, though I'm unsure if this can be shared publicly. 2. Submitting a sample and requesting the app to be analyzed would be the best course of action. The app's behaviour can also be checked, and if nothing malicious or suspicious is found, the app's reputation will be increased. 3. The permissions listed are commonly required but should not be a cause for concern, as many applications require these same permissions. 4. This is correct, not many users do not choose to leverage antivirus on their mobile devices, though we expect this to change in the coming years and hope to provide a mature product for users when the need arises. 
 I hope this helps, though if you have any further questions, please feel free to reach out on this thread.

How to prevent "Low Reputation App" warning (for a commissioned mobile app)

Top Replies