Research from Georgia Tech and Alcatel-Lucent disclosed gaping security holes in the developer support services both Apple and Google rely on to foster the creation and sale of hot new apps.
What’s worse, cybercriminals who are probing novel ways to infect mobile devices with malicious code, much as they do PCs, may be the least of consumers’ worries. Application developers, online advertising networks and social media sites may pose even bigger threats, experts here say.
These legit players in the nascent mobile app and ad space have dispersed thousands of free apps designed to capture personal location, contacts and calendar entries. While in hot pursuit of mobile advertising revenue, they are sharing this sensitive information indiscriminately among themselves.
“It’s just not malware we need to worry about; it’s also app developers requesting more personal information than they need to make the app work, and then selling that information to monetize their apps,” says Domingo Guerra, co-founder and president of mobile app security start-up Appthority.
The disclosures come as Apple, Google, Microsoft and BlackBerry hustle to entice software developers to create cool new apps for their respective mobile platforms — in a tumultuous business environment.
“Whenever a platform gets more popular and more attention, there’s higher motivation to try to take advantage because the chances for potential economic profit are higher,” says Billy Lau, a research scientist at the Georgia Tech Information Security Center.
Tech companies, app developers, ad networks and cybergangs are all responding to the global sale of smartphones and touch tablets becoming indispensable to people’s personal and professional lives.
More than 700 million of the 1.8 billion mobile phones expected to be sold in 2013 will be smartphones, compared with 680 million units in 2012, according to research firm Gartner. Meanwhile, researcher IDC estimates shipments of touch tablets will surpass PC sales by 2015.
In this heady environment, Apple has won praise from the security community for insisting that any new iOS app pass a rigid review to gain approval for distribution via its tightly controlled Apple Store. It’s generally not possible to install non-approved apps on an iPhone or iPad without “jail breaking” the device to access the operating system software.
However, Lau and GTISC associate director Paul Royal on Wednesday disclosed a way anyone can pose as a developer and finagle Apple’s app-approval process to install a malicious application on non jail-broken iOS devices
Lau and Royal fabricated an Apple mobile device charger with simple materials, but then booby-trapped it so the following sequence would commence on any iPhone or iPad connected to the bogus charger:
First, the fake charger instantly captures the device’s unique identifying number, called the UDID. Next, it logs on to Apple’s developer support website where it submits the UDID, and requests what’s known as a “provisioning profile” for that specific device.
Apple assumes a developer intending to test a new app on a device dedicated to that purpose is making the request, so Apple automatically issues the provisioning profile.
With that profile, the charger can now install coding that gives the attacker full control of the device. “Getting the UDID is trivial, and getting a provisioning profile is easy and automated,” Royal says.
Apple spokeswoman Natalie Kerris declined comment.
While the researchers’ booby-trapped charger was a crude prototype, a more refined version, disguised to look like an official iPad or iPhone charger, would be simple to fabricate. A hacker could then look for an opportunity to swap it with a targeted victim’s real charger.
Or it wouldn’t be too difficult to disperse faked chargers in public charging stations, like those found in many airports.
“The faked charger is actually a computer that can install things on your Apple device,” Lau says. “We’re almost certain this is going on in the wild. From an espionage standpoint, it’s naïve to assume this isn’t already going on.”
In another Black Hat presentation, Kevin McNamee, director of Alcatel-Lucent’s Kindsight Security Labs, showed how it’s possible to hack into any popular Android app that’s being distributed online and embed code that turns the smartphone of anyone who downloads the app into a spyphone.
The corrupted device transfers the phone’s location and contacts to the attacker, who can then send text messages luring others to download the tainted application, and even remotely operate the device to take photos and record conversations.
While Google goes through great lengths to keep malicious apps out of Google Play, its official application store, there typically is very little policing of hundreds of other third-party websites that distribute Google apps under the search giant’s open business model.
“I do think the bad guys are doing something like this, injecting their malicious code into existing apps,” McNamee says. “It’s pretty straightforward. It requires the ability to unpackage and repackage apps. It’s not exceptionally tricky, but it does require some knowledge of how the Android system works.”
Metrics from Juniper Networks, in fact, show that the appearance of malicious apps moving across the Internet is on a steep growth curve. Juniper intercepted 276,259 malicious mobile apps in the 12 months ending March 31, a 614% increase over the earlier comparable year.
That measure excludes the surge of legit apps that do not necessarily take full control — as malicious apps do — but, nonetheless, freely tap into location, contacts and calendar information.
In an analysis of the 400 most popular free and paid apps on the iOS and Android platforms, Appthority found 83% of those apps are associated with security risks and privacy issues.
IOS apps exhibited more risky behaviors than Android apps. Some 91% of iOS apps exhibit at least one risky behavior, compared with 80% of Android apps. One plausible explanation is that app developers and advertisers are putting a premium on profile information about Apple owners’ whereabouts, contacts and calendar entries, says Appthority’s Guerra.
Such nosy profiling is translating into waves of spam and obnoxious pop-up ads appearing on mobile devices. And security and privacy experts argue that it is also exposing proprietary business information, as workers increasingly use personally owned mobile devices for work duties.
“As consumers, we’re not yet thinking about our phones as computers, although they are,” Guerra says. “This really causes a lot of problems when you bring your own device — and your own apps — into the workplace and plug into corporate e-mail and networks to access information.”