Many years ago, the first time a mobile app asked me to rate it from 1 to 5, I gladly gave a rating, but this operation redirected me to the review section of the App Store, and I stopped. I did not want to publish something associated with my name, surname, and photo. Since then, every time a mobile app asks me to leave a review on the App Store, I simply feel annoyed and ignore the request.
Recently, however, I started thinking about how reviews—especially those for mobile apps, but not only—can be exploited by malicious individuals to profile users and gather data useful for illicit activities. Two scenarios came to mind.
The first involves social engineering techniques where an attacker can catch a victim’s attention after reconstructing, beyond just scattered social media likes, their physical locations (mainly through Google reviews) and their online shopping habits, including specific stores and purchased products.
The second, which worries me even more, is the potential exposure of much more sensitive information. For example, reviews left for apps that manage security systems (such as video surveillance, alarms, and home automation): in these cases, since the reviewer’s name and profile picture are often visible, attackers could exploit known or unknown vulnerabilities of a specific system against those users.
But what really made me pause—and what sparked this reflection—is a bank that earnestly asked me to rate and review its mobile app. The same banks that should instead maintain a low profile to protect their customers. A bank cannot disclose that a particular individual is its customer, yet it indirectly encourages users to self-identify as such just for promotional purposes. Moreover—and this is the core of my concern—since banks are highly vulnerable to phishing and similar attacks, they create additional risks for their customers. If an attacker stumbles upon a review of “Bank X” left by, say, Mr. Jonathan Richards (not just any John Smith, to be clear) and then finds his email and/or phone number in one of the many leaked personal data databases, they could pose as a bank representative and manipulate him into actions that lead to financial theft.
So, what can be done to mitigate this issue, at least within app distribution platforms? Apps dealing with sensitive matters should, first and foremost, avoid prompting users to leave reviews. On the other hand, app distributors should offer an option for semi-anonymity, allowing users to obscure part or all of their personal details in reviews (such as name or profile picture).
This issue highlights how cybersecurity today extends to the most unexpected fields—even marketing, as in this case. I hope this reflection doesn’t go unnoticed and that more industries begin to incorporate the expertise of cybersecurity professionals, never underestimating the impact of decisions when sensitive data is involved.