The state kicked off a soft launch early this year, introducing the tool first to county and local government partners in February, then to school representatives the following month. The app clocked roughly 3,000 downloads and the state is now moving out of soft launch and promoting it to the population at large, Chief Security Officer Laura Clark told Government Technology.
Secure Michigan debuted at a prime time, when school administrators have been wracking their brains for how to keep children and teachers safe while engaged in remote learning from their homes, outside the district’s protected Internet network, said Matt McMahon, associate superintendent of technology at the Gratiot-Isabella Regional Education Service District, who tested the app during its soft launch.
“There were a lot of concerns about the students and the staff even, with where they were connecting, what kinds of apps they were using on their own personal devices,” McMahon told GT. The app “filled a huge gap in our off-site security needs.”
The app isn’t limited to serving schools, and the state hopes it will be adopted by anyone with a supported device — currently Chromebooks, iPhones and Android devices.
The tool is intended to wake up residents to digital habits that may be exposing them to threats — such as connecting to unsecured free Wi-Fi hot spots, explained Derek Larson, deputy chief security officer, in a conversation with GT. Disrupting these go-to behaviors with timely warnings can make them more informed.
“One of the big things Michigan Secure does is it alerts people to some of the risky behavior they engage in without thinking… so they can avoid it in the future,” Larson said.
PHISHING AND NETWORK SECURITY
The Michigan Secure app homes in on several key risks including phishing and insecure Wi-Fi connections, Larson and Clark said. The app includes an anti-phishing tool that lets users check URLs to see if the links are valid or likely malicious, and it can warn users when their Wi-Fi connections are vulnerable — a major problem with hot spots and free public Internet.
“A lot of times people think because it’s free and available it’s OK and secure to use and those things don’t necessarily always equal each other,” Clark said.
McMahon said the app gives warnings while letting users decide how to react to that information.
For school communities, the Wi-Fi network check capability “is probably more important for the educators, the teachers [and] the administrators so that they can be aware, ‘I probably shouldn’t do grades right now, because I’m on an unprotected network, but since my email is encrypted, that’s probably safe,’” McMahon said.
Bobby Hodges, network engineer at Wayne RESA, a regional education services agency, participated in early tryouts of the app and said he found during testing that Secure Michigan works unobtrusively — something important to a desirable user experience. Device owners are largely able to forget they have the app installed until risky behavior prompts it to deliver an alert.
“I received some warnings from connecting to insecure wireless networks and for disabling security features on my phone, like disabling a PIN,” during pilot testing earlier this year, Hodges said. “I was able to have it pop up when necessary. But when you do daily activities… as long as you’re not doing something not secure, it stays transparent.”
DANGEROUS APPS
Monitoring for harmful apps is another of the Michigan Secure app’s prime focuses. The tool is intended to run quietly in the background and look for red flags that users may be unable detect themselves — such as apps that are engaging in suspicious activities in ways that users cannot easily see, Clark said. Michigan Secure can then warn device owners and advise them to shut down those suspicious programs.
Larson said Michigan Secure has a device-based threat detection engine that assesses the apps that users download, install or update, looking for indicators that those programs may be harmful. The tool analyzes the app binaries for malware, data leakages and other threats (this feature is currently only available for Android).
App security checks are particularly important for protecting children, who are less likely to think twice before downloading, McMahon said.
“My own kids, when they were younger, had no hesitancy to put apps on their phone that weren’t secure,” McMahon said. “They’d follow a website saying, ‘If you want to be able to watch this free movie, you need to install these apps.’ And most of them were not safe.”
PRIVACY
Getting constituents interested in the app means reassuring them that it has their privacy at heart, not just their security. Putting such concerns front and center may be essential for appealing to an increasingly privacy-wary populace, and doubly so if the app is to be safe for K-12 students to use.
To answer that need, the team ensured the app was designed with strict limits blocking it from accessing personal data or transmitting information about users or their activities. It is unable to view identifying details such as phone numbers, International Mobile Equipment Identity (IMEI) numbers, device serial numbers or user locations, and it cannot view content like text and email messages, according to the Michigan Secure website.
Michigan’s app was created by Zimperium, the same company that produced a similar offering for New York City in 2018 — and this established history was important to its selection, Clark said.
Zimperium can see a few details, according to the app website. Specifically, it sees an “anonymized randomly generated [ID] number” associated with a device — something intended to enable the developer to get a download count — as well as information on whether a user has an Android or iOS device and the version of the Michigan Secure app installed.
The emphasis on privacy has come with trade-offs, noted Hodges. He said it would be convenient for the app to have an opt-in feature allowing it to scan email messages to see if any links contained within were harmful. Users instead must submit specific links for these phishing checks. But Hodges recognized that the state’s desire to prioritize privacy likely led it to avoid any functionalities that could review messages.
Larson said in a separate conversation that Zimperium has introduced a variety of new capabilities that the state has declined to add to Michigan Secure because those features would require more communication between the app and the developer.
The Secure Michigan app speaks to a larger goal of making the state safer overall, Clark said.
“The better we can have our residents become security practitioners or think about cybersecurity on a daily basis, the more secure Michigan as an ecosystem will be,” she said.
