Hey, have you seen the newest game app, “Fox and the Flipflop?” Your kids will love it. With a conversation like this with a relative, colleague, friend, or acquaintance, the word of mouth endorsement of this new game app has us all scurrying to upload it to our device.
Now, we’re all sharp individuals, we’re reading this in a security blog for heaven’s sake, and we know to only download from trusted and verifiable sites.
We’re all good, right?
Maybe. Maybe not.
Security in Applications
Those who build applications can give themselves a head start in doing it right by following the recommendations of the Open Web Application Security Project (OWASP). The OWASP published their top ten application security concerns and they are:
- Improper platform usage
- Insecure data storage
- Insecure communication
- Insecure authentication
- Insufficient cryptography
- Insecure authorization
- Client code quality
- Code tampering
- Reverse engineering
- Extraneous functionality
Without diving into the intricacies of each, suffice it to say that an application developer who has these guidelines in hand and implements them will have a more secure application, when compared to those who simply “build.”
And while we have apps for specific designated tasks, we also have those building apps which continue to find their way onto our devices, with apparent legitimacy and then during an update, attempt to slide a hook to malware embedded in the update.
In 2015, researchers at the University of Indiana evolved a means to detect unknown malice within 10 seconds, with the development of VETFAST, and in doing so drove innovation in the app review process. Good for them, good for the industry.
As positive an event as it was, it didn’t stop malware from finding its way into apps. The criminals or unscrupulous successfully infiltrated during the development stage. In the well documented incident of a “phony iOS codex” being used by app development shops, users found that what looked like beautiful apps, carried payloads. Clearly, putting code into the app during development, without the app’s creator’s knowledge, is what made the compromise of the iOS CODEX in 2015 so effective.
Now to their credit, Google does try and police their Google Play store and according to their Android Security Report, they are making good progress in keeping people safe from “Potentially Harmful Apps (PHAs).”
What are the number of PHAs coming out of the Google Play store? Pretty close to zero. “By the end of 2016, only 0.05 percent of devices that downloaded apps exclusively from [Google] Play contained a PHA.”
In mid-October, Google announced the Google Play Security Reward Program, a bug bounty program for their Play store which will be a collaboration with bug bounty portal, HackerOne, focused on finding bugs in apps offered by the Play store.
What types of malware are hitting Android devices? Google tells us in their security team’s classification, there are a great many varieties, which they categorize as:
- Commercial spyware
- Data collection
- Denial of service
- Hostile downloader
- Mobile billing fraud
- SMS fraud
- Call fraud
- Toll fraud
- Non-Android threats
- Privilege escalation
Google is transparent on what constitutes an unacceptable threat or operation within a given app. Similarly, Apple also has a rigorous review of applications which are coming out of the Apple Store. Apple’s guidelines to developers, they lay out the various areas which are inspected, and adjudicated, prior to an app being allowed to be posted for download within their store.
It seems every year we are reading about information being harvested from various applications which reside on our devices. And then there is the phenomena of our privacy settings being reset when an operating system upgrade occurs. No rhyme or reason. It just happens from time to time and you, the user, may be stuck with an inadvertent exposure due to default permissions.
Clearly knowing what you are authorizing an application to access on your device is of paramount importance.
And, for those who are collecting information, transparency is of equal importance. Otherwise, your app may be the ticket to litigation if your expressed policies do not match the manner the app operates.
Such was the case of one company, who found themselves embroiled in a class action which claims that 40 of their apps were surreptitiously collecting the personal identifying information of users were harvested from the smartphones while the user (children) played online games – specifically challenging the compliance with the “Children’s Online Privacy Protection Act.” Knowing what is inside the app, even if it is a third-party’s code for marketing purposes and how it operates, is of equal importance.
In sum. Whether you are developing or using apps, it behooves you to know how they operate on your device, ensure that what is being shared is what is expected. For users, confine downloading and installing apps to that of trusted sources.
About Christopher Burgess
Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).