How safe are phone Apps?!
It seems like everyone uses a smart phone these days. Taking advantage of the many Apps available to use for convenience is something all of us have done. Some like to play games while waiting for a doctor’s appointment, some like to keep track of their travel expenses, some like to map where their next appointment is. The fact is if you have a need for something to make your life easier, there is probably and app for that. . Isn’t it funny though how the question that never enters our minds, even if for a brief second, is who made this App? Is it safe? Why do they need access to so many facets of the phone such as changing settings, access to the contact list, or Credit Card information? Think about it, the last time you downloaded an app, did you do any further research on it, or just see it was free and click accept. And reading the policy that you always click “accept” on…. Well forget about it.
After saying all of this, you may be wondering how big of a threat is really out there? What can happen and why? Here are some interesting statistics:
Research from Arxan determined that among the top paid and free mobile applications:
- 100% of the top 100 paid apps on the Google Android platform had been hacked
- 56% of the top 100 paid apps for Apple iOS had been hacked
- 73% of popular free apps on Android had been hacked
- 53% of popular free apps on Apple iOS had been hacked
ITunes has traditionally done a good job in testing its listed apps to see if there are any obvious security issues, but as you can see is only partially successful. Google Play has been a little more lapsed until recently and is now paying more attention to what it lets onto its store. Many of the threats take advantage of an aging phone, aging operating system, or a lack of the application updates being deployed. This is why anytime an update for Android or iOS or an update for the application is available it should be taken advantage of.
One example of a backdoor exploit was the Pcapd utility that was discovered as a diagnostics tool for Apple, but could be accessed by 3rd party software. Some more research found that the “diagnostic data” gathered by the Pcapd utility also included recent text messages, screen shot data of the last thing viewed, photo album pictures, notes, address book, GPS location among other data. Granted, this kind of Operating System Permission is needed to properly diagnose the phone, but it also allows access to all things personal, and if it is allowed for the good guys it can be abused by the bad guys. However, backdoors can be found in just about any device on the market and the general consensus is iOS based apps are safer due to Apple’s strict control of their software and Apple store.
One of the misconceptions is you can just use Anti-Malware apps and you are safe. This does not replace the need for caution. With an ever evolving base of threats being invented there are always new things to worry about. Anti-Malware software developers are always facing concerns with battery life, limited hardware resources, relatively limited sub layer OS access, and reliability concerns that are limiting how a successful Anti-Malware solution can be made. The plain fact that many exploit are unknown and cannot have a “cure” assigned to them until we know they are there.
So, how do you limit your exposure to such threats? One of the most effective ways to limit exposure to apps containing Malware is to always make sure to download apps from either the Google Play or Apple store. Another measure to take is to not Jail-break, or Root your phone, this can remove some safeguards in place built in by your phone’s manufacturer and can limit the ability of the phone to install updates to the core operating system. Many of the Apps that actually pose a threat take advantage of the features that are unlocked on a Jail-broken or Rooted device. Also, be sure to update your phone as much as allowed by the phone carrier because a large amount of vulnerabilities are patched with new Operating System updates. Pay attention to reviews of Apps. Make sure that the app is reputable through reviews and don’t sacrifice safety for being ahead of the curve. There will always be new things that bring new vulnerabilities, but you are not helpless. You can make your data a harder target. Always stay current with news released by either Android or Apple. Don’t rely on a news channel to break a story as they are very close to the last ones to know about any bleeding edge vulnerabilities or hot apps that are not so hot.
We will leave you with a parting thought. Sometimes the Malware carrying app is not even targeted towards you.
With a large increase in the amount of companies allowing their employees to bring their own devices to work and connect to internal networks or receive mail, attention has turned towards obtaining the info that is available through these avenues. A compromised phone on a corporate network can wreak havoc if the necessary safe guards are not in place. So, business owners, beware.
F1 Solutions
Security Team
