Back to Blogs
CMMSApril 22, 20268 mins

Is Your Subscribed Software Safe? Two Red Flags to Watch For

C

Chang

Is Your Subscribed Software Safe? Two Red Flags to Watch For

Most of us subscribe to software without stopping to ask whether it is actually safe. You trust it with logins, customer information, work orders, sometimes even payment details. The good news is that you don't need to be a security expert to spot the biggest warning signs. Two simple checks, both of which take under two minutes, will tell you a lot about whether the software you rely on is handling your data responsibly.

This guide walks through two of the most common red flags to watch for. If the software you use fails either of them, it is worth raising the issue with your IT team or the vendor before entering any more sensitive information.

Red Flag 1: The Address Bar Shows HTTP, Not HTTPS

When you visit a website, your browser connects to a server somewhere on the internet. HTTPS means that connection is encrypted, so anything you type (passwords, work order details, customer records) is scrambled in transit and can only be read by the real server. HTTP is the older, unencrypted version. Everything you send travels as plain text that anyone on the same network can read.

You can check this yourself in seconds. Open the login page of the software and look at the address bar in your browser:

  • A small padlock icon next to the URL means the connection is encrypted.
  • The URL should begin with https://, not http://.
  • Chrome, Edge, Safari, and Firefox all show a visible "Not secure" warning in the address bar if the site is unencrypted. If you see that warning, treat it seriously.
Abstract illustration of network traffic being intercepted over an insecure HTTP connection

What Attackers Can Do When the Connection Is Plain HTTP

An unencrypted connection isn't just a theoretical risk. Here is what someone with bad intentions can actually do if they are on the same network as you, for example at a cafe, a hotel lobby, or a conference venue:

  • Sniff your password. Anyone sharing the Wi-Fi can passively capture everything you type, including your login credentials.
  • Hijack your session. After you log in, your browser stores a session cookie. Over HTTP, that cookie can be copied and replayed by an attacker to impersonate you without ever needing your password.
  • Inject malicious content. An attacker sitting between you and the server can modify the page you see. They can insert a fake login form, swap buttons, or inject scripts that steal data.
  • Tamper with data silently. Numbers, text, or file uploads can be changed in transit without you noticing.
  • Impersonate the server. HTTP has no way of proving that the server on the other end is really who it claims to be. You might be sending everything to an imposter.

This matters for almost any software you use day to day. Anything you type into a site running over HTTP, including your password, can be read by other people on the same network. Encryption is not optional for software in 2026. It is the minimum standard.

Red Flag 2: The Vendor Tells You to Install a Custom APK

An APK is the file format for Android apps. Normally, you install apps from the Google Play Store, which scans them for malware, verifies the publisher, and enforces rules about what an app can do. A custom APK is an app file that a vendor sends you directly, outside of Google Play, and asks you to install manually. This is called sideloading.

You will recognise this situation if:

  • The vendor emails you an .apk file or a download link from their own website.
  • The installation instructions ask you to enable "Install from unknown sources" or "Install unknown apps" on your Android device.
  • Their mobile app cannot be found on the Google Play Store or the Apple App Store.
Abstract warning illustration showing an unverified APK file being sideloaded onto a smartphone

Sideloading a business app from an unverified source is risky for several concrete reasons:

  • No malware scanning. Google Play Protect, which automatically scans apps on the Play Store, never sees a sideloaded APK. If the file is infected, nothing catches it.
  • No publisher verification. The Play Store requires developer identity checks. A custom APK skips all of that. You have no guarantee the file came from who it claims to be from.
  • Silent self-updates. Sideloaded apps can update themselves in the background without any outside review. A harmless first version can turn into something very different a month later.
  • Dangerous permissions without scrutiny. Custom APKs can request accessibility access, device administrator rights, SMS access, or background location with far less friction than a Play Store listing, and those permissions can be seriously abused.
  • Hard to revoke trust. If the vendor is compromised later or the app turns out to be malicious, uninstalling alone often is not enough. You may need to do a full device audit.

A legitimate software vendor has better options available to them:

  • Publish the mobile app on the Google Play Store and the Apple App Store, so you can install it normally.
  • Offer a progressive web app (a website that works like an app) that runs in your browser with no install required.

If a vendor insists you install a custom APK instead of either of these, it is reasonable to ask why.

A Two-Minute Safety Check You Can Do Today

You don't need any tools beyond your browser and your phone. Run through this short list for any software you rely on:

  • Open the login page. Confirm the URL starts with https:// and shows the padlock icon.
  • Search the vendor's app name on Google Play and the Apple App Store. Confirm a real listing exists, with a real publisher name and real user reviews.
  • Never enable "Install from unknown sources" for a business app. If a vendor asks you to, treat it as a serious warning sign.
  • If anything looks off, pause and raise it with your IT team, or ask the vendor to explain their security approach before you keep using the product.

Why Two Minutes of Checking Is Worth It

Software safety isn't only about what happens inside the product. It also shows up in how the product is delivered to you. An encrypted connection and a properly published mobile app are the absolute baseline, not advanced features. If a vendor cannot clear that bar, they almost certainly have not done the harder work behind the scenes either.

These two checks cost you nothing, take under two minutes, and protect you from the most common and most preventable categories of software risk. The next time you log in somewhere or install a new app, take a look at the address bar and the app store first. Your future self will thank you.

Ready to optimize your maintenance operations?

Get in touch with our team to discuss how Cerev CMMS can help streamline your maintenance workflow and reduce costs.

Request a Quote
WhatsApp