App Store-Aided Mobile Attacks 186
Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"
I like the yum "app store" (Score:4, Interesting)
All the packages are signed and I can rebuild anything I want from scratch.
Adobe uses it to update Flash and Reader on my systems, they don't need to support an update installer.
I have no doubt that the same type of system can serve palmtop systems well.
there's only one way (and it's imperfect) (Score:1, Interesting)
Do not run software for which a sufficient number of trusted parties cannot examine its source.
Yes maybe most people haven't the know how to examine it. But that doesn't matter - what matters is simply that enough people *do* who have no vested interest in jacking your machine. With enough eyes, malicious code will often be spotted.
I say often because even that isn't foolproof, it's just better than the alternative of "blind trust in the app developer".
Maintaining control of your own machine using a network of human trust is the only way, short of writing your OS yourself. And surely giving control of your machine to unknown parties without such trust is a bad idea.
Oh, and diversity of ecosystems helps as well. Monocultures are inherently dangerous.
Re:Open Store, Open Door... (Score:4, Interesting)
Perhaps, but if you cast your net a little wider, you'll realise that the main thing required is a viable process. Autocratic centralised control is just one of a number of different and equally effective means of managing security for end users. Debian, Ubuntu, Fedora and countless other community-maintained repositories have historically sustained a commendable level of security in their vast software collections. They've built up so much trust, in fact, that the trust itself has become a peculiar kind of strength [imagicity.com].
Re:Starting at $59.99 (Score:3, Interesting)
Norton AntiVirus: iPhone edition.
Symantec Endpoint Protection, iPhone Edition has scanned its own jail space and found no viruses. Would you like to enable real-time protection (until you close the SEP iPhone Edition App)?
Re:I've always wondered (Score:3, Interesting)
Re:iPhone Banker Trojan? (Score:3, Interesting)
Well, this isn't quite as serious as Bank Trojans, but Storm8 [inquisitr.com] is infamous for stealing phone numbers from their customers. And this is with the all-mighty App Store in place.
Re:I've always wondered (Score:2, Interesting)
That would still limit you to userland exploits, but it would definately allow some malicious code to be injected through a server request that could access phonebook/etc and then send it back home all without the naughty code ever existing in the application that was submitted to Apple.
This code would be all but invisible since the timebomb and malicious payload are controlled remotely.
It would be nice for someone in the know to weigh in about apple's code execution security for appstore apps.
Re:Open Store, Open Door... (Score:5, Interesting)
Android has on-device security which let the user know, in simple English what the application will do ("can access your contacts", "uses services that cost you money (SMS, makes phone calls)", "will access the internet") so when you download a fart application that wants access to your contacts and to the internet you have to figure out something isn't right.
But that isn't so useful as Apple's walled garden approach has forgone local security in favour of gateway only security, once you've gotten past the censors you have a free reign. Enterprises have known for some time that gateway only security is a complete and utter failure. You need both gateway and local security, which Android provides both although the gateway security is entirely voluntary (but enabled by default).
There have already been data miners for the Iphone that have gotten past Apple's ever watchful censors including at least one fake banking application (BOA, IIRC). This isn't including data miners like Arsebook.
Ultimately gateway and local security is preferred for end users, one should have a choice whether to use the gateway or not but local security is an absolute must, especially on a mobile device. Despite how good you think your gateway is it is fundamentally flawed.
Re:This is why Android could take over the market. (Score:3, Interesting)
As was all ready mentioned, it's about having a security process. This can be implemented regardless of openness.
If more open "stores", such as Android or Maemo/MeeGo or Debian or whatever don't yet have as rigorous a process as Apple, they should get busy of course.
Regarding any discrepancy between source and binary, you should obviously just upload the source to the store and have the store build the binary.
Re:iPhone Banker Trojan? (Score:3, Interesting)