BBC Builds Smartphone Malware For Testing Purposes 60
siliconbits writes "BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions."
Re:No defense (Score:4, Interesting)
Why does this remind me of Bonzi buddy?
I gave my sons their own computer when they were in elementary school. At the time, it was somewhat rare and they were excited by it. They had internet access which I vaguely watched... (meaning checking for porn) and all seemed well.
Keep in mind that I had NEVER had problems with pop-ups and malware or any of that before simply because I instinctively knew better as do many people here on slashdot. (Not many of us had to learn the hard way... we pretty much already knew... what? install this program to see the video? WE don't fall for that one... but many do!) So it didn't occur to me that my sons were not yet as skeptical as I.
So yeah... Bonzi buddy. They found this cute thing and installed it and it was fun for them to play with. It told jokes and they could type things in for it to say. Before long, the computer was doing things they didn't tell it to do. I remember the first time my younger son rushed downstairs to tell on his older brother for having naked pictures on the computer screen! The older followed behind closely and explained that they just started appearing out of nowhere! (Pop-ups! I had HEARD about them but never saw them before at the time!)
So I reloaded the machine, let them install Bonzi buddy again and before long it was happening again. Didn't take me long to realize what Bonzi buddy was up to. Sad part was that Bonzi buddy attracted kids and exploited them with along with the adults.
In short, there's nothing new or revolutionary in your idea. It has been done a lot already.
In fact, Microsoft did that too. They could have secured their OSes from being copied from the very beginning. Instead, they used piracy (free copying) as a means of distribution to choke out the competition. Then, once they achieved the "critical mass" their revealed secret documents spoke of, they started locking their software down more and more. It's not like free copying wasn't a problem from the beginning... it's just that it was also useful in the beginning and stopped being useful once their ends were achieved.
Re:No defense (Score:3, Interesting)
Apple's walled garden does nothing to prevent the kind of malware you described.
Getting hidden malicious functionality through the approval process would be a cinch.
Yep, even teenagers can get trojan apps past Apple's approval process [techtipsgeek.com].
Re:No defense (Score:4, Interesting)
How about requiring all software be written and approved and digitally signed by licensed engineers with legal responsibility.
That way, if malware gets in, you have someone to blame.
Pardon me for combining job protection with societal benefit :P... you know... like how doctors and lawyers do.
Sure it stifles open access... but at the benefit of quality and job protection...
Re:Fearmongering Bullshit... (Score:3, Interesting)
If it's not a company that you are comfortable trusting
To be fair, the BBC is one company that even a lot of skeptical, careful people would think they could trust. I don't have the app, so I'm not sure how it was listed, but if it said BBC, I could see how people would tend to trust it.
Absolutely, and that is a wonderful part of the system. If BBC actually released this application maliciously under their trusted name, and anyone found out what it was doing, then BBC would face a hailstorm of complaints, bad press, and lost trust. This would almost certainly affect its bottom line.
Users trust BBC precisely because they have a lot to lose by betraying that trust.
Re:Cannot rely on education as solution (Score:3, Interesting)
Instead, when a user opens an app they should be asked at the time of access to a resource if it's OK to access that resource. Now here I'm sure you start to be reminded of Vista UAC and innumerable "Are you sure" dialogs. But I don't mean every tine, I mean only once or twice and then the app is granted that permission permanently.
Yes it means that an app could potentially do something later on after being granted some permission. But it also would block a lot of obviously wrong things from working, like opening a media player and then being asked if it's OK to SMS a big ol' number you do not recognize.
You mentioned the shortcomings yourself; this wouldn't stop any serious malware author. They would either wait out whatever "trial period" you impose, or find a clever way [computerweekly.com] to masquerade their malice to seem innocent. With application models like these, you really can't beat around the bush, and solutions that try and mitigate will only find their limits probed, explored, and worked around.
If you have to rely on that, the system will not work. Users don't want to, and will not be "educated" to. They want to buy and use something. You can't make users do something they don't want to, any more than force everyone to carefully listen to the flight attendants on an airline explain the safety procedures beforehand.
Education isn't as impossible as you seem to think it is. It is a compromise between the vendors and the users. I'll use browsers as examples: you'll never get Joe Averageuser to validate SSL certificate roots of trust by clicking through dialogues. You will, however, get very far giving him a simple piece of advice, like check the color of the bar before you use a banking website [mozilla.com].
That is what phone OS's need to be designed to do (and they are, hence the "bullshit" in my title). They need to simplify the absurdly-complex system that is a mobile phone down to a manageable set of qualities that everyday users can handle and make intelligent decisions based on. You will always find your idiots, but smart OS / UI design can put the top 99% [wikipedia.org] of people in a position to make the right call, and that's very powerful.
Existing mobile phone UIs certainly have plenty of room to grow, but the vendors understand the psychological and intellectual landscape, and I believe strongly that they are moving in the right direction at a very respectable pace.
Re:That's the Apple iPhone development model (Score:3, Interesting)
You sign up for iPhone development and give them your name and address.
And I'm certain that Apple checks to make sure that those names and addresses are completely legit.
Of course, I also believe in the Easter Bunny.
A couple of years ago, I used one of my developer discounts to buy a machine for a co-worker. We had it shipped to his house. For the next six months, when I signed on, my account listed my first name and his last name.
Oh, but you can always look up the info? Here's a copy of Hitchhikers Guide to the Galaxy [apple.com] [Redirects to iTunes]. Go click on "Jeffrey Beyer Web Site." Hell, if Apple can't even catch things like that in their own store, I don't hold much stock in them being able to ferret out a clever hacker.
Re:That's the Apple iPhone development model (Score:3, Interesting)
And I'm certain that Apple checks to make sure that those names and addresses are completely legit.
Why is that so hard to believe?
If you are selling any app, they have to get bank contacts from you, and it cannot be just any bank - they have to support SWIFT codes, which means a pretty large bank. Between the two things Apple has a pretty good lock on who you are.
For free apps they do not require a bank account but they do verify your address.
A couple of years ago, I used one of my developer discounts to buy a machine for a co-worker. We had it shipped to his house. For the next six months, when I signed on, my account listed my first name and his last name.
Right, but they don't have the same degree of controls around developer accounts as they do iPhone developer accounts. It's a different level of checking (as in they actually do some). They take knowing who you are much more seriously.
Re:Is this going to be the new trend? (Score:3, Interesting)
On a computer you have can a firewall - you can't on a phone.
Also for Android, because googles stupid design, if an app wants to include adds it needs to have internet access. So everything wants to go on the internet.
What they should have done was have an OS module which returns the adds, so the app didn't need internet access.
Re:That's the Apple iPhone development model (Score:3, Interesting)
In addition to the bank checks that the other poster mentioned, you also have to supply them with tax information, and company incorporation documents if applicable. The process too a few weeks for us, and entailed a few phone calls and physical mail in both directions.
Apple certainly knew we were more than a made up name before we were allowed to upload our first app.
So maybe that easter bunny is more real than you originally thought.
Re:How it is news (Score:4, Interesting)
In many ways mobile phones are more secure than desktops. Sandboxes for apps, strong permissions schemes, app certification etc. But to counterbalance that, they have new facilities as standard that are more dangerous if compromised. Mobile phone charges, SMS, GPS, microphone, camera etc.