Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to prevent "Low Reputation App" warning (for a commissioned mobile app)

Hi,

I'm acting as a consultant to a Financial Services startup which has commissioned a white-labelled version of a mobile app from a (well known) Open Banking-enabled app provider. They have recently released the first version of this application for us, which I installed on my own phone and immediately got the "Low Reputation App" alert. Under "details" it cites the following permissions required by the app as being problematic:

  1. Read storage
  2. Write storage
  3. Starts at device start
  4. Active on locked device

However when I raised this with the developer they said these permissions were required and they said this:

"My understanding is that the Sophos reputation is related to the fact that the app is new and has not been downloaded many times as yet.  This will improve over time.

We haven’t come across this before with other apps, we suspect because most Android users don’t use anti virus and even fewer use Sophos.  One of our developers tells me that he runs BitDefender on his own device and this has never flagged any of our apps.

Our regular pen tests check all the permissions and flag any which are a problem or are not required by the app."

I'm not entirely comfortable with that; the app is intended to help people who are below the typical wealth threshold for receiving personal 1:1 financial advice to better manage their money and finances, and uses Open Banking to connect to users' bank accounts. The reputational risk of anyone getting this warning in that context is too great. Please can someone let me know:

  1. Whether indeed this is due to the app being new, and if so how many times it needs to be downloaded before this warning goes away? Presumably it would need to be downloaded by people who have InterceptX on their phones in order for the stats to improve?

  2. Whether there is anything we or the app developer can do proactively to whitelist this app so it does not get flagged?

  3. Whether the four permissions listed above would be commonly required / typical for an app designed to use open banking and help you manage your finances? 

  4. Whether the statement "most Android users don’t use anti virus and even fewer use Sophos" is valid?

Many thanks,

Charles



This thread was automatically locked due to age.