Wednesday, December 18, 2013

So much for app security!

I've always been extremely wary of smartphone apps, regarding all of  them, without exception, as potential threats to security and privacy.  Far too many of them ask for permission to access and/or modify your location information, device settings, etc., when all you want them to do is one or two simple tasks.  I routinely reject upgrades when I discover them asking for more rights than the app already has, and I'm in the process of deleting most of the pre-loaded apps that came with my phone (a Samsung Galaxy Note II Android phablet).

My suspicions have been confirmed by two recent articles in the Telegraph.  In the first, published last week, we learn that "Four in five top Android and iOS apps 'have been hacked'."

78 percent of the top 100 paid Android and iOS apps have been hacked, with 100 per cent of the top paid Android apps and 56 per cent of the top 100 paid iOS apps found to be compromised.

. . .

Hackers also continue to target free apps, with 73 per cent of free Android apps and 53 per cent of free iOS apps found to be hacked in 2013.

. . .

The widespread use of 'cracked' apps represents a real danger for both individuals and companies, given the explosion of smartphone and tablet use in the workplace and home, according to Arxan.

Cracked mobile apps create the potential for massive revenue loss, unauthorised access to critical data, intellectual property theft, fraud, altered user experience and brand damage.

. . .

Mobile financial apps were found to be particularly at-risk, because users trust them with essential data such as bank account numbers and passwords. Arxan discovered that 53 percent of the Android financial apps it reviewed had been cracked while 23 percent of the iOS financial apps were hacked variants.

There's more at the link.

To add to my discomfort, today another article claimed that an Android botnet is secretly forwarding SMS to China and North Korea.

The software, which is being called MisoSMS, infects Android devices by pretending to be a settings app called “Google Vx”. Once it is in place it then asks for administrative rights and, if granted, steals the contents of SMS and sends them to a third party.

In a post on its blog, security firm FireEye ... claims that many of the email addresses which receive the SMS are being accessed from mainland China and Korea. The company has worked with law enforcement agencies to get the email accounts shut down and says there is no evidence yet of new accounts springing-up in their place.

Again, more at the link.

Oddly, if one looks for so-called 'app killer' or 'task killer' software, one often encounters advice not to use it.  I presume that on the surface, this is because one might shut down an app that's important to the functioning of one's smartphone:  but I can't help wondering whether such messages aren't also propagated by app developers, who want to continue harvesting information from users without interruption.  Personally, I'm going to be killing and deleting every app I don't use on a regular basis - and even the latter will be scanned with a jaundiced eye if they ask for permissions they don't need.  For example, why would a book-reading app want the right to send back to its servers information about my physical location?  It's none of the app's business!

Would any computer security experts among my readers like to comment on the advisability (or otherwise) of shutting down and deleting any app one isn't using regularly, or that appears overly intrusive in asking for access to information?  Also, why (do you think) doesn't Google give Android users the right to refuse specific permissions to an app, rather than have to accept or reject all its requests in one fell swoop?  The former seems like a worthwhile security upgrade to me.



Old NFO said...

I've got a iPhone, but only run minimal apps and NO financial stuff ever goes through the phone.

Anonymous said...

The article in question appears to be conflating (intentionally or not I can't tell) between a "cracked" app meaning "the app you chose to run on your device is compromised" and "cracked" app as in "unofficial, pirated release akin to 'warez' on a regular PC".

The former would certainly be a concern, but for 50-75% of the apps in the official app stores (google play or apple app store) to be compromised in that manner, it would require those top tie developers themselves to have been hacked, the application signing keys to have been stolen (at least for iOS, I don't recall if android requires app signing), and the crackers to be submitting replacement versions of the app to the official stores in the name of the developer.

Alternatively, it would require that the user has downloaded some other application which has managed to break out of it's "sandboxed" environment, past the phone's own built in security to target the top 100 application's data.

In both of these cases, the scenarios are possible, but either scenario being applicable to 50-75% of the top applications in Apple or Google's would be extremely unlikely.

On the other hand, having the apps "cracked" in a warez/piracy sense, where unofficial and altered versions are available for download on third party markets (like the one the article refers to Cydia) is a much more likely and believable thing. It's basic software piracy and has been around forever. To install such applications on an Android phone, one would need to activate the option to allow 3rd party application installation (admittedly easy, but still requiring an affirmative step) and on iOS requires jailbreaking the device, which is an even more involved procedure and not something you will accidentally do.

After you have done that, you still need to download and install the alternative market or individual application from the 3rd party site, and then yes, you are installing applications that are outside whatever general security checks the official app store review processes have. In theory these apps are still restricted by the built in OS security, but obviously the risk for exploiting flaws in that security are greater. This scenario seems to be one the article is really talking about, both because it is the more believable scenario and because the quoted "security" firm specializes and sells tamper proofing, DRM and anti-piracy packages.

In this more likely case, you can protect yourself by following the same rules and advice that has been relevant for every computer since the dawn of personal computers. Only download and install software from the original and trusted source. If you see that "My Great Banking App" is available from "Mega Bank Corp" on the regular App store and it's normally $10, and then you install a 3rd party app store and see the very same app for free from "Mega Banking Corp", well, like the saying goes "If it sounds too good to be true".

Long comment short, the article appears to be intentionally inflammatory, using ambiguous terms to make you think that the banking app you download from the official Apple or Google store is compromised, when in reality they're saying that "popular applications are popular targets for piracy and downloading pirated versions of applications might mean you're downloading a compromised version as well"