App Store-Aided Mobile Attacks 186
Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"
I've always wondered (Score:2, Insightful)
I guess I wasn't the only person who thought of that.
Open Store, Open Door... (Score:5, Insightful)
As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app, plus limited multitasking ability, plus developers tied to using the app store's preferred programming language and tools are all things that stand in the way of a would be trojan spyware author. As Apple claims, jailbreaking your iPhone could all "the enemy" to do what they want with it, and that could crush poor little American Telegraph and Telephone Co.'s network.
Google touts openness, and Microsoft touts the power of a free-market of commercial software, both of which provide nice benefits to the consumer, but also to the hacker who wants to compromise user privacy. Has anybody looked into the Facebook apps on these platforms?
That was a close call (Score:5, Insightful)
Wow. I was going to download some apps from one of those app stores. I can't believe I nearly exposed my phone to something even more dangerous than anything on my PC. In future, I am going to just limit myself to downloading whacky screensavers for my Windows system, because that is totally unlike downloading an app for my phone.
Seriously, I can't believe the gall of those attention-seeking media whores who call themselves security experts. Years after we have been able to download applications for phones, some nitwit finally realises that one of those apps could be harmful. All they have to do is blow the danger out of all proportion and wait for the stupid media to lap up the story.
"But this time it is different - instead of downloading the app from a website, you get them from an app store!" Yeah, right.
Starting at $59.99 (Score:2, Insightful)
Norton AntiVirus: iPhone edition.
Re:That was a close call (Score:1, Insightful)
"But this time it is different - instead of downloading the app from a website, you get them from an app store!" Yeah, right.
But it is different; because of perception. People think "Oh, the Apple App store; everything here has been thoroughly vetted by Apple and given the thumbs-up" when in reality, the vetting process is: "does it crash? does it look like it does what it says?" and maaaybe: "are there any obvious hooks into user data that the stated purpose of the App doesn't need?" Almost assuredly nothing that checks for obfuscated code,
Re:I like the yum "app store" (Score:4, Insightful)
They already sign the code, some of the app stores even require business documents before you're allowed to put anything up.
Having source is a plus but this is commercial software we're talking about, you don't have the source for the 2 things you mentioned, Reader and Flash. Besides that, having the source isn't guaranteed to protect you, companies have been obfuscating the hell out of source code for a while now. All they really need to do is get users to install the binary first, and then it's a waiting game to see if anyone actually reads the source and finds the evil lines, if they ever do. By then, millions of users have installed the app or the updated app (the first version doesn't need to be malicious) and had their info stolen, etc.
Re:That was a close call (Score:2, Insightful)
The real power behind the Apple vetting process has nothing to do with what Apple does, it's what Apple has: Your bank routing #, social, full name, address...and yes, they have all this of mine.
So if a fly by night app store that lets anyone submit apps without any process and may not collect this information for all app submitters has an app with a virus - they remove it. Apple could quite possibly notify the authorities of your location.
I'm not saying Apple vetting process is foolproof, or that this would stop all attacks, but by collecting this information you're a lot more likely to be able to hold people accountable for crap they do than otherwise.
Just my $0.02.
Re:This is why Android could take over the market. (Score:4, Insightful)
It comes down to if you cannot see the source don't trust it.
And that's not even counting the second issue: how do you verify that the source code you are reading actually corresponds with the executable your computer is going to run? If you download both source and executable, it could be that the source is clean, but the executable contains a back door. Even if you compile the source code yourself, it could be that the code exploits a bug (or backdoor) in your compiler to implement behavior different from what the source code indicates.
Re:Open Store, Open Door... (Score:3, Insightful)
The only way the three systems you mentioned would detect a rogue package update, would be from open-source coders reviewing the original codebase. Maintainers don't often examine code -- often, they are even incapable of it.
So what do you get when that update comes from (A) a closed-source application, or (B) a solo-programmed OSS project? You get hell, that's what you get.
Also, a bit of perspective. The last I heard (years ago), Debian had 17,000 packages. How many do you think the iPhone has?
On the App Store, Wikipedia says: [wikipedia.org] As of April 8, 2010, there are at least 185,000 third-party applications officially available on the App Store, with over 4 billion total downloads.
It's not nearly as simple a situation as you make it to be.
Perhaps this will evolve into something beneficial (Score:5, Insightful)
I agree with the poster that the economics of attacks is definitely in favor of the Trojan vs. the technical attack. It's scary how many people install junk on their computers, and it's not getting any better. Even I do it sometimes without knowing 100% who's behind some utility or patch that I want. This is the approach that pays off easy too. Why bother trying to sneek into their box when the user's will install your bug for you?
In nature though, some of these parasites actually evolve into beneficial bugs. The take their little bit, but they also do some extra bit for the host. Both sides win, this is symbiosis. Imagine that the SETI@home also defragmented your disks or optimized performance some how in exchange for running on your system, same thing.
Now consider for a second that Conficker patched some security holes after entering the host system....Isn't it doing some little bit of good? Not wanting it on my box, just showing how Conficker's security is also beneficial to the host machine. Their goals align... Consider also, how does Google's goals align with mine when I use online Docs?
I think there will be a real blending here. Trojans will get more beneficial and less intrusive, people will tolerate them because they do something useful, and a new class of free (as in beer) software will evolve.
Re:That was a close call (Score:3, Insightful)
Re:That was a close call (Score:5, Insightful)
That is bullshit. They not only check for malware, they even check for privacy violations and use of unfinished API's that may break in a future OS release. The whole app platform was designed for approvals.
You can't say iPhone is doing it wrong because it's not open on one day and then say it's just as vulnerable to malware as Android the next. We know Apple is not as vulnerable because they have not had any malware through 2 years of a billion downloads and over 200,000 apps, while Android Market has served malware with significantly fewer apps and downloads. And most of Apple's users do not know WTF "malware" is, which is why they do it this way.
Clearly unfair to Apple (Score:5, Insightful)
You can't tell me how wrong Apple is for having a closed store with strict app approvals and how other mobile makers will outdo Apple with their open stores and then wrote a malware-scare article about how app stores are too open and lump Apple in with everyone else. It's one or the other. Everyone else has Jas apps you can install from the Web and Apple has C apps you can't.
Apple has an actual record here. They've been malware-free 100% for 2 years, 200,000 apps, over 1 billion downloads, with consumer users who don't know what malware is, doing 1-click installs.
How you can write an article like this saying "app stores should be more closed" and not mention Apple's is closed is beyond me.
And there has been no native malware on iPhone. Also bullshit.
And although Apple may not strictly guarantee zero malware, they are actively policing every app. To pretend that's like having no cops, as on the other platforms, is ridiculous.
Awful article. Just fucking awful. Do some fucking research!
Re:iPhone Banker Trojan? (Score:4, Insightful)
Yeah, this entire story is kind of supporting Steve Jobs' obsessive control of the closed App Store. My iPhone has no viruses.
It does have Plants vs. Zombies, though.
Re:I like the yum "app store" (Score:5, Insightful)
Well, FWIW, it is kind of hard to do much damage if the app can't run in the background due to lack of multithreading.
No, I don't have an iPhone, iPod, or iPad. I am just getting tired of the same old tirades from both sides.
Re:On blackberry? Not so much (Score:1, Insightful)
Any app on the blackberry requires user intervention before it's allowed to fetch URLs, open raw sockets, read email, dial the phone, get your location, manipulate the address book, or do any other damned thing. [...] It actually seems much less vulnerable to trojans and spyware than a PC.
That does not mean much for a trojan. A trojan could masquerade as some tool or game that 'needs' access to all of these, and the Trojan user would happily grant it those rights.
Re:iPhone Banker Trojan? (Score:3, Insightful)
Yeah, there has been some poaching of the bit of info that apps can tap into. I know Apple tightened up on that though and there's a lot less that an app can get at.
There's no doubt that the App Store gatekeepers are a necessary evil. Hopefully they do just enough and not a bit more in keeping bad apps out and still allowing good apps in.
Re:This is why Android could take over the market. (Score:3, Insightful)
It comes down to if you cannot see the source don't trust it.
And when is the last time you looked at every single line of code for a major open-source application and made sure that it was totally and completely safe? Do you just use them, assuming that someone else [developer.com] did it for you [developer.com]?
The fact is that we all trust the developers at some point, it doesn't matter if it is open or closed source. At least with a major author they have a physical presence, buildings, investors, publicly traded, cash in the bank. If they do something underhanded you have stuff you can go after. In open source yeah you have code that people can look at but you also have the possibility of some anonymous person who works a sneaky backdoor into the code. Then when it all goes kablooey there's no one whose feet can be held to the fire.
I'm not saying that either closed or open source is better than the other, just that both have many good and bad points. You can't automatically assume that open source is better. Either way it helps to have safeguards in place, like an app review process and the ability to quickly remove malware from devices.
Re:Clearly unfair to Apple (Score:5, Insightful)
My guess: there's a rather popular hate-the-leader bandwagon among certain geeks. You see this on Reddit a lot, where anything critical of the iPhone or iPad gets modded up immediately whether it's insightful or not.
This author is probably part of that bandwagon, desperately trying to stitch together a premise (open app stores are an opportunity for trojans) and an incorrect conclusion (fear the iPhone!) with no logical connection. Why else use App Store like a proper noun in the title, knowing full-well that most people will immediately assume the iPhone/iPad App Store?
Anyone who's owned a Mac a long time and constantly been lectured by their PC-using friends that "Macs are just as susceptible to viruses" even though no one gets viruses on their Macs while PCs are like leper colonies for malware knows this full well.
Re:That was a close call (Score:1, Insightful)
FUD