[credit provider=”Flickr” url=”http://www.flickr.com/photos/lilymonster/5405088296/”]
Phonemageddon. Some in the security industry have been predicting it for the last few years. It’s the theory that one day you’ll turn on your cell phone, there’ll be an animated dancing koala bear where your operating system logo used to be, and all of your data, contacts, and passwords will be in the hands of hackers.As the story goes, it’ll be a malicious application that will be the smartphone’s undoing- similar to how viruses and trojans infect PCs today.
However, a much more likely path to infection has to do with security mistakes that mobile phone developers make when they build mobile applications. When developers create applications for iPhone, Android or BlackBerry, preventing potential security vulnerabilities takes a backseat to attracting users and time to market.
The question that is not heavily examined during this app gold rush is whether the apps themselves have vulnerabilities or holes. Not even Apple’s tightly controlled app store has the time, technology or motivation to look for vulnerable applications. The result is that even if you trust the application developer, the application might have unintended holes that create a pathway for hackers.
Mobile phones are an attractive target: they process logins for our bank account, have access to a ton of bandwidth (creating mobile bonnet potential), and have just as enticing information as a PC does. Even more interesting is that they are a real gateway into enterprises: if somebody wrests control of your mobile phone, they might parlay it into accessing enterprise servers that trust the device.
Hands-down, the motivation to attack is high, but why (so far) have there been few takers? The business model of Apple has pushed the company to tightly control the app store. This means that Apple knows the identity of application writers and they are doing at least some rudimentary checks to make sure the application isn’t the next Zeus (a Trojan horse that has infected more than 3 million PC’s in the United States).
On the Android side, things are a little more wild-west, and their model depends on the users making good decisions about the permissions they grant to apps. While there is some oversight by Apple and Google, they focus on guarding against malicious applications – however neither platform tries to address the potential vulnerabilities that may be lurking in legitimate applications, even from trusted companies.
We got a glimpse into the state of mobile application security quality when a forensics company recently did an analysis of some of the most popular mobile applications from several large companies (mostly financial institutions).
They found that passwords and financial data were often stored in clear text on the phones, that sensitive transactions were unencrypted, and that there was a general lack of security hygiene in handling data. Beyond mishandling data though, these applications might contain vulnerabilities that could allow an attacker to get remote access to applications and gain control of the phone.
An application that helps organise SMS messages for example might be vulnerable to the king of all vulnerabilities: the buffer overflow – a problem that plagues applications written in the C language. Apple applications are written in a variation of C (called Objective C) and Android apps suffer from the same issues. Even the operating system itself has been vulnerable to these types of problems in the past. In 2009 a security researcher found a vulnerability in Apple’s iOS 3.0 and was able to take control over the phone by sending a malicious SMS (Apple issued an update to address the problem shortly after it was demonstrated).
These indicators have pushed businesses to start focusing on enterprise defence strategies in a world where employee owned mobile devices are storming into the workplace. In a recent survey conducted by RSA Conference, the world’s largest information security conference, 90-three per cent of security professionals believe mobile devices pose a security threat to their organisation. Protecting against weaknesses introduced by insecure applications from trusted providers is one of the biggest open questions. From a defence perspective, it is critical for enterprise security professionals to keep up to date with the latest threats and educate their employees about the importance of updating their applications and phone operating system.
Whenever you install a mobile application you get both utility and risk; today we focus exclusively on evaluating utility. We need more security researchers focused on evaluating security quality of 3rd party apps so that users (and enterprises) can make informed choices about the applications they install. More importantly, it will change the economics and incentivise the companies to build more secure mobile applications.