As smart phones start resembling full-fledged computers, cybersecurity researchers say it##s only a matter of time until digital criminals redirect their spyware schemes from PCs to the moving targets in our pockets. When that assault begins, those researchers say it may come in through the front door: the app store.
At two recent cybersecurity conferences, researchers demonstrated applications designed to show just how much personal data a rogue smart phone app could access. Though companies like Apple, RIM and Google say they filter those programs for spam and malware, researchers argue it may be all too easy to slip a data collection function into an otherwise innocent-seeming app.
At the Black Hat conference in early February, Nicolas Seriot, a cybersecurity researcher at the Swiss University of Applied Sciences, showed off a proof-of-concept app that probes the depths of personal information on Apple##s iPhone. His program, called Spyphone, can pick up information ranging from a user##s contact list and phone numbers and e-mail addresses to location via wi-fi networks and GPS, functions that he says could easily be tucked behind a game or another innocuous facade.
“You don##t want to use a device where the Breakout game you##re playing is secretly accessing and modifying your address book,” says Seriot.
Days later at the Shmoocon security conference, Veracode security researcher Tyler Shields showed off a similar trick for a BlackBerry, using an app he##d written called TXSBBSpy that can monitor calls, text messages, Web browsing history and even activate the device##s microphone. “Imagine a free voice recorder app,” says Shields. “If they##ve implemented the microphone function, they can listen to whatever they want and exfiltrate the audio data.”
There##s no doubt, Shields says, that phones are still much safer from spying software than PCs, which allow software to be installed from any source, often invisibly, as in the case of “drive-by downloads” by infected Web pages or booby-trapped e-mail attachments. But the wide privileges given to phone apps still create exploitable vulnerabilities in devices, says Shields.
As the app store model spreads beyond phones to devices like Apple##s iPad, surreptitious data collection techniques could start to creep into some apps. “There##s really no transparency and a false sense of security,” says Shields.
The threat of spying App store programs is mostly theoretical, but researchers cite a few early instances of the scheme. In September of last year iPhone users told French blog Mac4Ever that a traffic-monitoring application called MogoRoad surreptitiously grabbed their phone numbers and called the user to try and persuade them to upgrade the free software to a paid version. Just two months later, iPhone users filed a class-action lawsuit against game developer Storm8, whose software was collecting their phone numbers. Storm8 later claimed that it had only taken the numbers to identify specific devices, and it removed the feature.
In January Finnish security firm F-Secure warned that a collection of banking applications in Android##s app store may have hidden password-stealing code. The apps, written by a developer known as 09Droid, advertised themselves as interfaces for dozens of different banks, but did little more than open the banks## Web sites, while gaining access to whatever information the user entered.
F-Secure couldn##t determine whether the apps had actually been used to steal information, but Google removed the applications from the app store, and several banks sent their customers warnings about the unauthorized programs.
An Apple spokesperson wrote in a statement that the company “takes security very seriously,” and thoroughly reviews every app, along with “the identities of every developer” and will remove apps and ban developers if they##re found to be “malicious.”
A Google spokeswoman said in an e-mail that Google doesn##t review applications before they##re added to its Android Market, but takes them down if they violate its policies. She added that users are prompted with requests for permission to gain access to the phone##s features like location or Internet access, which they can accept or deny.
Google##s looser marketplace approach means that Android may be the most prone to app store exploits, says Neil MacDonald, an analyst with tech research firm Gartner. He argues in a recent blog post that app stores should be analyzing applications## code for exploits before they##re made available to the public. “It becomes a reactive model,” he says. “Can##t we catch this stuff proactively before something happens?”
For now, there are likely too many operating systems for any single app store to be an attractive target for stealthy malicious software, MacDonald says. But he warns that the iPhone, RIM and Android platforms may eventually gain enough market share to make them more profitable venues for hackers. The problem: Google, RIM and Apple are more interested in accumulating large numbers of applications than in properly vetting them, he says.
“It##s easier to downplay the issue than to slow the number of applications being introduced,” says MacDonald. “It may take something bad happening before these app stores take notice.”