Frequently Asked Questions

What is the NYC Secure app? The NYC Secure app is a free, New York City-funded mobile app that will alert you if your mobile device or tablet encounters threats such as a potentially unsecure Wi-Fi network and will offer recommendations on how to address the threats. The app was designed with your privacy at the forefront. No information about you leaves the device. A third-party firm conducted a thorough review of the source code

Is the app completely free? Yes, the NYC Secure app is funded by the City of New York, so it is completely free. It is free to download and free to use. There are no monthly charges and no in-app purchases required. There will be no charge for any updates or upgrades, and it does not have any ads.

How does the app help protect me? The app detects potential threats in real time to your device, to Wi-Fi networks you may connect to, and for Android users, it detects whether any app you’ve downloaded might be unsafe. When the app detects a threat, it will send you an alert in real time and offer a recommendation on how to address the threat, such as suggesting you disconnect from a particular Wi-Fi network. These alerts include: Device alerts—These alerts warn you about settings or activity that could potentially put your device at risk. Network alerts—These alerts warn you about potentially compromised networks you are connected to. App alerts (Android only)—These alerts warn you when issues arise on apps you have installed that could compromise your device's security.

Who developed the app for New York City? The NYC Secure app was developed by United States-based Zimperium, Inc. Zimperium is a global leader in mobile security, offering real-time, on-device protection against both known and unknown Android and iOS threats.

What information about me will the app gather? NONE! The app was designed with privacy at the forefront. You will not be asked to provide any information about yourself to download the app. Nothing about you or your activity ever leaves the device.

What information does the app developer or New York City see? The app developer and New York City cannot see or have access to any personally identifiable information, including location, IMEI, device serial number, phone number, text messages, pictures, emails, or any other information on your phone. The app developer will see: - A device ID (an anonymized, randomly generated number that can only identify how many people at any given time have downloaded the app) - The device type (meaning is it an iOS or Android device), and the NYC Secure app version.

How much space will the app need on my phone? Approximately 75 MB to 80 MB

How much data will the app use on my Wi-Fi or cellular network? Android: Install/Setup= 14 MB to 16 MB Daily Usage = 4 MB to 6 MB iOS Install/Setup = 7 MB to 9 MB Daily Usage = 3 MB to 5 MB

What is the minimum operating system I need to use the app? iPhones with iOS v9.0 and above or later



Android devices with Android v4.4 and above or later

Does the app require a Wi-Fi signal to use? No, you can use the NYC Secure app without a Wi-Fi connection

What are all of the threats that the app will detect? Device Jailbreaking (iOS) or Rooting (Android) When an iOS device is jailbroken, or an Android device is rooted, malicious processes can gain unauthorized access or elevated privileges that allow them to take full control of the device, compromising the security of the device. If your device is jailbroken/rooted, it is recommended that (i) you back up any sensitive data, (ii) restore the device to the original factory settings via device settings, and (iii) subsequently update the device to the latest device software via device settings or by visiting the device manufacturer’s website or by contacting the device manufacturer’s customer support center. For example, for iOS devices, visit Apple’s official website; for Google’s Nexus/Pixel devices, visit Google’s official website; and for Samsung devices, visit Samsung’s official website.

Elevation of Privileges (Android) An elevation-of-privileges alert is reported when a malicious process running as the user elevates to root on the device and gains an escalation of privileges (e.g., the user installed an app from a third-party store that executed an exploit and gained root privileges on the device). Through an elevation-of-privileges attack, the attacker essentially offers someone other than you the keys to the castle. The attack tricks the device OS into thinking that the attacker has legitimate administrative privileges, compromising the security of the device. If you receive an elevation-of-privileges alert, it is recommended that (i) you back up any sensitive data, (ii) restore the device to the original factory settings via device settings, and (iii) subsequently update the device to the latest device software via device settings or by visiting the device manufacturer’s website or by contacting the device manufacturer’s customer support center. For example, for iOS devices, visit Apple’s official website; for Google’s Nexus/Pixel devices, visit Google’s official website; and for Samsung devices, visit Samsung’s official website.

Rogue Access Point (Android and iOS) A network threat is triggered when the device is connected to a rogue access point. An alert informs you that there may be an issue with a Wi-Fi network that you might be inclined to trust, so you can disconnect and take other precautionary actions. An attacker uses a rogue access point that can exploit a device vulnerability to connect to a previously known Wi-Fi network. Users will see previously connected wireless networks as available (e.g., a home wireless network showing as available at an unexpected location), or the device will automatically connect to one. If an attacker installs a rogue access point, the attacker is able to run various types of vulnerability scanners, and rather than having to be physically inside the organization, can attack remotely—perhaps from a reception area, adjacent building, car park, or with a high-gain antenna, even from several miles away. In the event a rogue access point network threat is reported, we would recommend disconnecting from the wireless network immediately, switching to a secure network, and changing the passwords of any online services accessed when connected to the rogue access point.

SSL Strip Network (Android and iOS) SSL strip alert means that the webpages you are viewing may not be secure. For example, an attack will force users to visit webpages in HTTP instead of HTTPS. This will help an attacker to intercept the usernames and passwords in clear text. A network threat is reported if an attacker performs an SSL strip attack via a rogue or compromised access point. In the event an SSL strip network threat is reported, we would recommend disconnecting from the wireless network immediately and changing the passwords of the online services accessed when connected to the network.

Suspicious Android App (Android) It is possible to download from a legitimate source an app that is unsafe or deliberately designed to infect users’ devices. A device threat is reported when you attempt to install a malicious app. If a malicious app is preinstalled on the device, then the malicious app will be detected after a complete device scan. In the event a suspicious Android app threat detection is reported, delete the downloaded file or uninstall the detected Android app.

System Tampering (Android and iOS) System tampering is the process of removing security limitations enforced by the device manufacturer. As a result, the device is fully compromised and can no longer be trusted. For example, system tampering is detected when an end user roots an Android device or jailbreaks an iOS device. With a system tampering threat alert, it is recommended that (i) you back up any sensitive data, (ii) restore the device to the original factory settings via device settings, and (iii) subsequently update the device to the latest device software via device settings or by visiting the device manufacturer’s website or by contacting the device manufacturer’s customer support center. For example, for iOS devices, visit Apple’s official website; for Google’s Nexus/Pixel devices, visit Google’s official website; and for Samsung devices, visit Samsung’s official website.

SELinux Disabled (Android) Security-Enhanced Linux (SELinux) is a security feature in the operating system that helps maintain the integrity of the operating system via an implementation of a mandatory access control mechanism. If SELinux has been disabled, the integrity of the operating system may be compromised and should be addressed immediately. When a “SELinux is disabled” device threat is observed, it is recommended that you back up any sensitive data, restore the device to the original factory settings via device settings, and subsequently update the device to the latest device software via device settings or by visiting the device manufacturer’s website. For example, for iOS devices, visit Apple’s official website; for Google’s Nexus/Pixel devices, visit Google’s official website; and for Samsung devices, visit Samsung’s official website.

Unsecure Wi-Fi (Android and iOS) Most users of unsecure Wi-Fi networks assume that online activity is protected, but most publicly available Wi-Fi networks lack adequate security protections for users. The City of New York wants to help you mitigate the risks of using public/open Wi-Fi networks. A network threat is reported when the device is connected to an open/public wireless network that doesn’t require a wireless encryption (e.g., WPA, WPA2) password. Connecting to an unsecured network exposes your phone and the information you transmit to a potential attack by an unauthorized party. When an unsecured Wi-Fi network threat is detected, it is recommended that you disconnect and switch to a secure network with encryption capabilities that will prompt you for a password.

Developer Option (Android) Developer Options is an advanced configuration option intended for development purposes only. Activating this feature makes your device vulnerable to attacks. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings. In the event you observe a “Developer Options enabled” device threat, we recommend disabling the Developer Options via device settings.

Device Encryption (Android) A device threat event is reported when the data encryption on the device is not enabled. Device encryption is enabled by default on Android 6 and above. Device encryption is disabled on older Android versions. In the event an “encryption not enabled” device threat is observed, we recommend enabling device encryption via device settings. On iOS, turning on a PIN or password will enable device encryption. On Android, it’s under Settings...Security...Encrypt Device.

Device PIN Not Enabled (Android and iOS) A device threat is reported when the device is not set up to use a PIN and/or password—the first line of defense for your phone. If you receive this alert it is because you have not established a PIN and you most certainly should to control access to the device. On iOS devices, this is also used as a seed to encrypt the device data. If such a device threat is reported, it is highly recommended that you set up a PIN/access code via device settings.

Stagefright Vulnerability (Android only) In a Stagefright attack, an attacker sends a link or an MMS to an end user. Opening the link will exploit the media server-related vulnerabilities on the device. This will help an attacker get remote code execution privileges on the user device. A Stagefright vulnerability detection event will let us know if the device is vulnerable to Stagefright attack by looking into the OS version and patch level. A Stagefright vulnerability threat means your current OS version has critical security risks. A Stagefright vulnerability can be addressed by updating your device to the latest operating system. If this alert is observed on a device that does not allow you to be on the latest OS version, it is recommended that you replace the device.

Download Apps from Unknown Sources (Android only) App stores make a concerted effort to vet apps before they are available for download. Allowing the installation of apps from unknown sources is a bad idea. A device threat is reported when the user allows installation of apps from unknown sources (i.e., non-Google Play store apps). Google puts apps through security checks before they are uploaded to the Google store. The device is therefore at risk from malicious apps that do not go through security checks. It is recommended that you disable the “download apps from unknown sources” options in the device settings.

USB Debugging Mode (Android only) By enabling this setting, you open your phone up to a host of security issues. USB debugging is an advanced configuration intended for development purposes. By enabling USB debugging, a device can be accessed and controlled by someone other than you, accept commands, files, etc., from a computer when plugged into a USB connection, and allows the PC to pull crucial information like log files from the device. The device is put at risk when, for example, you need to plug your phone into an unfamiliar USB port—like a public charging station. In theory, if someone had access to the charging station, that person could use USB debugging to effectively steal private information from the device or push some sort of malware onto it. It is recommended that you disable USB debugging mode via device settings.

Why should I install the app? While mobile phones do provide some security features like PINs and lock codes, most do not come with security software to detect threats or vulnerabilities. Your mobile phone has many entry points that need to be protected, such as your camera, access to apps, and your location information. The NYC Secure app provides critical information and directions on what to do if your phone is at risk of compromise.