Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Cellphones Handhelds Security

App Store-Aided Mobile Attacks 186

Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"
This discussion has been archived. No new comments can be posted.

App Store-Aided Mobile Attacks

Comments Filter:
  • by FranTaylor ( 164577 ) on Monday May 17, 2010 @11:40PM (#32248686)

    All the packages are signed and I can rebuild anything I want from scratch.

    Adobe uses it to update Flash and Reader on my systems, they don't need to support an update installer.

    I have no doubt that the same type of system can serve palmtop systems well.

  • by Anonymous Coward on Tuesday May 18, 2010 @12:01AM (#32248830)

    Do not run software for which a sufficient number of trusted parties cannot examine its source.

    Yes maybe most people haven't the know how to examine it. But that doesn't matter - what matters is simply that enough people *do* who have no vested interest in jacking your machine. With enough eyes, malicious code will often be spotted.

    I say often because even that isn't foolproof, it's just better than the alternative of "blind trust in the app developer".

    Maintaining control of your own machine using a network of human trust is the only way, short of writing your OS yourself. And surely giving control of your machine to unknown parties without such trust is a bad idea.

    Oh, and diversity of ecosystems helps as well. Monocultures are inherently dangerous.

  • by grcumb ( 781340 ) on Tuesday May 18, 2010 @12:08AM (#32248880) Homepage Journal

    As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app, [etc....] are all things that stand in the way of a would be trojan spyware author.

    Perhaps, but if you cast your net a little wider, you'll realise that the main thing required is a viable process. Autocratic centralised control is just one of a number of different and equally effective means of managing security for end users. Debian, Ubuntu, Fedora and countless other community-maintained repositories have historically sustained a commendable level of security in their vast software collections. They've built up so much trust, in fact, that the trust itself has become a peculiar kind of strength [imagicity.com].

  • by Culture20 ( 968837 ) on Tuesday May 18, 2010 @12:31AM (#32249014)

    Norton AntiVirus: iPhone edition.

    Symantec Endpoint Protection, iPhone Edition has scanned its own jail space and found no viruses. Would you like to enable real-time protection (until you close the SEP iPhone Edition App)?

  • by s73v3r ( 963317 ) <s73v3r.gmail@com> on Tuesday May 18, 2010 @01:09AM (#32249200)
    Maybe the screening process has been working?
  • by R3d M3rcury ( 871886 ) on Tuesday May 18, 2010 @01:43AM (#32249360) Journal

    Well, this isn't quite as serious as Bank Trojans, but Storm8 [inquisitr.com] is infamous for stealing phone numbers from their customers. And this is with the all-mighty App Store in place.

  • by norpy ( 1277318 ) on Tuesday May 18, 2010 @02:40AM (#32249622)
    The screening process is on the binary, it is very hard to detect some crappy code that is intended to cause a buffer overflow.

    That would still limit you to userland exploits, but it would definately allow some malicious code to be injected through a server request that could access phonebook/etc and then send it back home all without the naughty code ever existing in the application that was submitted to Apple.
    This code would be all but invisible since the timebomb and malicious payload are controlled remotely.

    It would be nice for someone in the know to weigh in about apple's code execution security for appstore apps.
  • by mjwx ( 966435 ) on Tuesday May 18, 2010 @02:47AM (#32249664)

    Google touts openness,

    Android has on-device security which let the user know, in simple English what the application will do ("can access your contacts", "uses services that cost you money (SMS, makes phone calls)", "will access the internet") so when you download a fart application that wants access to your contacts and to the internet you have to figure out something isn't right.

    As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app,

    But that isn't so useful as Apple's walled garden approach has forgone local security in favour of gateway only security, once you've gotten past the censors you have a free reign. Enterprises have known for some time that gateway only security is a complete and utter failure. You need both gateway and local security, which Android provides both although the gateway security is entirely voluntary (but enabled by default).

    There have already been data miners for the Iphone that have gotten past Apple's ever watchful censors including at least one fake banking application (BOA, IIRC). This isn't including data miners like Arsebook.

    Ultimately gateway and local security is preferred for end users, one should have a choice whether to use the gateway or not but local security is an absolute must, especially on a mobile device. Despite how good you think your gateway is it is fundamentally flawed.

  • by migla ( 1099771 ) on Tuesday May 18, 2010 @05:11AM (#32250222)

    As was all ready mentioned, it's about having a security process. This can be implemented regardless of openness.

    If more open "stores", such as Android or Maemo/MeeGo or Debian or whatever don't yet have as rigorous a process as Apple, they should get busy of course.

    Regarding any discrepancy between source and binary, you should obviously just upload the source to the store and have the store build the binary.

  • by netsavior ( 627338 ) on Tuesday May 18, 2010 @08:14AM (#32251206)
    yeah something combining android's manifest and blackberry's application permissions screen would be really nice... They each have half of the puzzle. BB lets you block permissions by application to certain functions (like gps, phone, etc) but it is not smart enough to know which of those things the app might try to do.

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre