New cybersecurity threat: smartphone apps that do more than what they say they do


A large proportion of applications contain third-party code with the capability to interact with sensitive data in a way that may not be apparent to users or developers; Apple reviews its
applications before accepting them into its App Store, but even that is
not foolproof when it comes to detecting erroneous or malicious
components within apps, which might end up collecting or storing
information that has nothing to do with the intended usage case of the
app

Like on PCs, the danger of trojan apps grows // Source: pc1news.com

Citigroup’s revelation that its iPhone banking app came with a security glitch may have been bad news for the bank’s customers, but it was good news for a
group whose mission is to educate consumers and developers about the
vulnerabilities in smartphone apps.

Citigroup informed its customers that its iPhone app was saving customer account information in hidden files on users’ smartphones and computers and told them to upgrade to a new version of the app that
deletes any information that might have been saved to iPhones or PCs.

Monica Alleven writes in Wireless Week that this week, executives at mobile security firm Lookout are at the Black Hat conference in Las Vegas to share what they found — a similar
vulnerability that affects Android. Lookout’s chief technology officer
and one of its founders, Kevin Mahaffey, says Citigroup did a good job
of being proactive and catching the iPhone app glitch before it
wreaked havoc.

Apple reviews its applications before accepting them into its App Store, but even that is not foolproof when it comes to detecting erroneous or malicious components within apps, which might end up
collecting or storing information that has nothing to do with the
intended usage case of the app. Mahaffey refers to an example of a
15-year-old developer who was able to put a tethering app inside a
flashlight app unbeknownst to Apple or AT&T, which charges more
for tethering.

If there’s anything we’ve learned is vulnerabilities happen,” he says. “It’s great that Citibank was ahead of the problem. Finding out from them and using it as a learning
experience is a success.”

Alleven notes that Lookout has started what it calls its App Genome Project, whereby it has scanned 300,000 free apps and did a deep analysis on 100,000 of them to gain insight into what apps are doing
once they are on devices and to understand if “bad things are happening
in the wild,” Mahaffey says. The company is developing automated tools
to make the process easier.

The project has found that apps on Android are generally less likely than applications on iPhone to be capable of accessing a person’s contact list or retrieving their location, with 29 percent of free
applications on Android having the ability to access a user’s location,
compared with 33 percent of free applications on iPhone. Additionally,
nearly twice as many free applications have the capability to access
people’s contact data on iPhone (14 percent) as compared to Android
(8 percent).

The App Genome Project also found that a large proportion of applications contain third-party code with the capability to interact with sensitive data in a way that may not be apparent to users or
developers. The third-party code is generally for advertising or
analytics. The project found that 47 percent of free Android apps
included this third-party code, while that number is just 23 percent on
iPhone. Lookout says third-party code is difficult to globally update
and creates potential for a cross platform vulnerability.

Mahaffey says the Genome Project is separate from what Lookout offers in terms of products, which include an app that an end-user can download and use it to determine whether an app is a “good” app or one
subject to security vulnerabilities that shouldn’t be used. The company
has not released an iPhone version of the product yet but is expected to
do so.

Lookout was founded by in 2007 by John Hering, James Burgess and Mahaffey. The San Francisco-based company has about thirty employees and recently announced it has more than one million registered users for
its smartphone security app.

Views: 14

Events

Badge

Loading…

© 2019   Created by neil.   Powered by

Badges  |  Report an Issue  |  Terms of Service