Research by the University of California has revealed various apps developed for Android smartphones have security flaws that could jeopardise user privacy.
The security flaws were identified by graduate student Dennis Xu, who collected about 120 000 free apps from the Android marketplace.
"The programs were left vulnerable because their developers inadvertently left parts of the code public that should have been locked up," Xu said.
The researchers have submitted a paper on the study to the Systems, Programming, Languages and Applications: Software for Humanity 2013 conference, to be held in Indianapolis, in the US, this October.
Security consultant for SpiderLabs at Trustwave, Philip Pieterse, says local mobile users are exposed to the same threats as abroad. "Because of chip and PIN being implemented, it is a lot more difficult for credit cards to be cloned. So the criminals are focusing on 'card-not-present' environments, like e-commerce and mobile."
Pieterse adds that mobile users who browse to a malicious Web site compromise their apps, as well as their entire mobile device, leaving it wide open to be controlled by the attacker. "Another method is to upload a malicious application directly onto the relevant applications stores, and then get users to download these apps."
Justin Lee, country manager at Blue Coat Systems, says most mobile attacks fall into the social engineering category. "Users are tricked into thinking that they want the app, so they'll download it. We find that most people are so keen to get the app installed and to start using it that they don't stop and actually look at what the app is requesting access to."
He says that certain apps request access to the calendar, contacts and location, to which most users blindly agree.
Lee adds that the most common way for hackers to gain access to personal data is simply ripping an existing app and repackaging it with a malware payload, and then offering it on a site other than the main/official app store.
He says that this is, however, not an easy task. "Only advanced attackers, APT groups and high-end cyber criminals are likely to do it.
"Another common attack involves a rogue app that goes after other data on the phone. Many apps do not adequately protect sensitive data, so if a rogue app can get to it, it's easy to read it," notes Lee.
Implications
Pieterse says there are various problems with apps being hacked. "The attacker could gain access to all your confidential information, for example your login credentials of your bank or Facebook. Another attack that is very popular is reverse SMS billing - this is when the victim gets billed for the SMSes that the attackers send."
Lee adds that Apple and Google tighten restrictions and close holes in their channels on a regular basis. He also warns that these protections are a good reason to think twice about "jailbreaking" a phone. "Jailbreaking your phone may give you unrestricted access to free and paid applications, but these free/unrestricted apps are most certainly not guaranteed to be safe."
Pieterse says the hacking of apps also holds a threat to enterprise, as it would be possible for a compromised mobile device to grant attackers access to the enterprise network.
"This could also be true in the case of BYOD, as a device might be compromised already, so the attack could bypass all the security measures that the enterprise has in place, for example firewalls."
Lee says an enterprise attack would have to be highly motivated. "It comes down to how important or valuable the information is that someone is after and what they are willing to pay a cyber criminal to get the information. We then step into a very dangerous world of targeted attack vectors that could use malware, spyware or modified mobile applications to get it."
Pieterse says apps need to be properly vetted, before they become available. "Malware detection on mobile phones is becoming more essential. Users can also apply the same rules that there are for when you normally browse the Internet, and that is don't open e-mails you don't know and don't click on any strange links."
Lee urges mobile users to only download apps from an official source. "If you're really paranoid then you want something to help keep an eye on traffic, and spot changes and anomalies of how the apps communicate. Organisations and individuals should not only worry about securing the device, but also securing the content that goes to and from the device's applications."
Share