Mobile apps: The new frontier for hacking your smartphone
Picture this: an application developer creates a popular new app, quickly gaining 500,000 user downloads and producing a decent amount of revenue (about $5,000 — $7,000 per month). No sooner is he approached by someone who is interested in acquiring the application for $100,000, so he sells it and makes a profit; however, the buyer ends up turning that same application into malware and half a million users end up running a malware-infected application on their device. What now?
This case is rare but it proves an important point — mobile security is a moving target and even though an app is safe today, that doesn’t mean it will be safe tomorrow. Take Telegram, for example. The well-known application promoted its “Secret Chat” function as a way for users to send end-to-end encrypted messages but it has been found lacking in multiple areas. By simulating an attack that gains permissions by running a kernel exploit, our research team was able to uncover and read Secret Chats written in plain-text in the process memory. Not so safe after all.
{mosads}Any list of safe or unsafe safe apps is folly. While there are generalities — it’s reasonable to say that an app from a company you trust like Chase or Amazon is safe, or an app like Evernote, with major investors and a well-known business model, is also safe — any app can be compromised. In fact, there are essentially clones out there of the Evernote application that will give you unlimited storage for free at the cost of your private data potentially being available for sale on the black market. That’s why it’s so important for individuals and companies to implement guidelines and constant discipline to remain safe.
Not just apps, consider everything else
Applications aren’t the only things that can compromise your device. Hackers have three options for attacking a mobile device: the device itself, the network it connects to, and the applications it downloads. And many of us are at an unreasonable level of risk to attack. To put this into perspective, over the past year, our customers detected hundreds of thousands of threats. We found that 94 percent of Android devices were not running the latest software version available, and about a quarter (23 percent) of iOS devices were not running the latest software version. We also found that about 10 percent of all devices were attacked via their network connections (MiTM, SSL certs, etc), which is a significant risk for companies with thousands of employees.
There are companies like BlackBerry, Microsoft, MobileIron and AirWatch who have worked hard to create secure containers so that developers create secure apps. They work hard to encrypt data at on the mobile disk and its network communication, but the same issue still applies. If the container is safe, but sits on a platform that has been compromised, there’s no security at that point. The common analogy I use for this is putting up great walls on a shoddy foundation: if your phone’s operating system (OS) is compromised, it doesn’t matter how safe the app is.
Constant discipline
Now, assuming your device, OS and network are all secure, there are some things to keep in mind about apps. The app economy is all about adding new, single-purpose apps. Apple’s trademarked slogan, “there’s an app for that,” holds true – you can find just about anything you need in the app store. However, when it comes to free apps, the developers and advertisers ask or hack access to the user’s location, photos, contacts, etc. in exchange for whatever service they provide.
Due to the constant need to create an app for every possible human need, imposter applications, or malicious apps that pretend to be popular programs, have also spurred an increase in attacks. For example, Pokemon Go was initially only available in a few countries, so as a work-around users began using third-party app stores to access the app. Hackers caught wind of this and created imposter apps loaded with spyware, remote access trojans and bots that gave cybercriminals complete control over users’ mobile devices.
Take Evernote (an app I trust, but a good example nonetheless): Whenever I make a note in Evernote, it will automatically title it based on the current entry in my calendar. This is incredibly helpful when it comes to keeping myself organized but it further demonstrates how much access to personal information we are willing to provide to our apps. We can’t control when an application has access to our information, so once we agree to allow it, they have access to it indefinitely.
This is how the app stores are architected and it’s doubtful they will change anytime soon, especially with the goal of continuing to deliver a smooth, simple experience. So, it’s up to users to be aware about what apps they use. While there’s no hard and fast rule, here are some quick guidelines to keep in mind:
-
Who is backing the app? If it’s from a major company or has great investors, it’s probably a safer bet.
-
How many downloads? Even malicious apps can get 10-15,000 downloads. Look for apps with more than 1 million to be truly safe.
-
What country is it from? Keep in mind there are organizations in Eastern Europe, Asia and elsewhere with a vested interest in cyber crime toward the USA.
-
How long has it been on the market? The longer, the better.
What should companies do?
Unless you’re passionate about mobile security — and the average user typically isn’t — it’s hard to imagine every employee following these guidelines. Companies with sensitive data need to be able to detect whenever a corporate device downloads a malicious app, and revoke access to the device as soon as it happens. The combination of a mobile threat defense solution and user education is crucial to avoid compromising personal data.
The bottom line is that we’re living in an increasingly connected world, and businesses and individuals haven’t yet set up the necessary security measures to keep up with this change. As a result, mobile devices and the apps that live within them will continue to be the vehicle of choice for cyber criminals.
John Michelsen is the CTO at Zimperium, a company dedicated to mobile device security.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.