Slashdot Mirror
App Store-Aided Mobile Attacks
Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"
All the packages are signed and I can rebuild anything I want from scratch.
Adobe uses it to update Flash and Reader on my systems, they don't need to support an update installer.
I have no doubt that the same type of system can serve palmtop systems well.
I've always wondered why deliberate exploits hadn't been included in seemingly safe app store apps that allowed access to forbidden api's and did naughty things always sorta amazed me.
I guess I wasn't the only person who thought of that.
From the article:
Banker Trojans targeting platforms such as the iPhone
[citation needed]
I poked around the internets a bit and only found a mention or two for iPhone trojans. These trojans were ONLY on jailbroken iPhones, not un-jailbroken ones that are using the iPhone App Store. As far as I know there have never been any "banker" trojans in the iPhone App Store.
This article seems to be riding the coattails of the iPhone's popularity by throwing it in the mix with other platforms that have had "banker" trojans. If they have evidence of an iPhone App Store trojan I'd love for them to directly mention it rather than being vague and doing a lot of hand-waving.
Sapere aude!
As much as we hate Apple's walled-garden approach to an app store, having a central authority with a kill switch for any app, plus limited multitasking ability, plus developers tied to using the app store's preferred programming language and tools are all things that stand in the way of a would be trojan spyware author. As Apple claims, jailbreaking your iPhone could all "the enemy" to do what they want with it, and that could crush poor little American Telegraph and Telephone Co.'s network.
Google touts openness, and Microsoft touts the power of a free-market of commercial software, both of which provide nice benefits to the consumer, but also to the hacker who wants to compromise user privacy. Has anybody looked into the Facebook apps on these platforms?
Wow. I was going to download some apps from one of those app stores. I can't believe I nearly exposed my phone to something even more dangerous than anything on my PC. In future, I am going to just limit myself to downloading whacky screensavers for my Windows system, because that is totally unlike downloading an app for my phone.
Seriously, I can't believe the gall of those attention-seeking media whores who call themselves security experts. Years after we have been able to download applications for phones, some nitwit finally realises that one of those apps could be harmful. All they have to do is blow the danger out of all proportion and wait for the stupid media to lap up the story.
"But this time it is different - instead of downloading the app from a website, you get them from an app store!" Yeah, right.
Norton AntiVirus: iPhone edition.
Do not run software for which a sufficient number of trusted parties cannot examine its source.
Yes maybe most people haven't the know how to examine it. But that doesn't matter - what matters is simply that enough people *do* who have no vested interest in jacking your machine. With enough eyes, malicious code will often be spotted.
I say often because even that isn't foolproof, it's just better than the alternative of "blind trust in the app developer".
Maintaining control of your own machine using a network of human trust is the only way, short of writing your OS yourself. And surely giving control of your machine to unknown parties without such trust is a bad idea.
Oh, and diversity of ecosystems helps as well. Monocultures are inherently dangerous.
This is not really any different from the thousands of "kitten screensavers" and other "utility" programs you could download off the internet for windows desktops.
Any app on the blackberry requires user intervention before it's allowed to fetch URLs, open raw sockets, read email, dial the phone, get your location, manipulate the address book, or do any other damned thing. And 90% of the APIs require the developer to be vetted through the app signing process. It actually seems much less vulnerable to trojans and spyware than a PC.
It comes down to if you cannot see the source don't trust it. As long as blackhat crooks are out there making closed binaries there will be problems with trojans. If Google is smart they will insist that all code must be visible to operate on the Android OS. Perhaps Rim will follow suit and make sure that all third party binaries are clean. I know this really irks some developers but if your code is clean, unique and has a copyright why are you afraid that others will see it?
and just sponsor a couple of OSes and a browser pretty much dedicated to ratting on you.
The Cloud - because you don't care if your apps and data are up in the air.
I agree with the poster that the economics of attacks is definitely in favor of the Trojan vs. the technical attack. It's scary how many people install junk on their computers, and it's not getting any better. Even I do it sometimes without knowing 100% who's behind some utility or patch that I want. This is the approach that pays off easy too. Why bother trying to sneek into their box when the user's will install your bug for you?
In nature though, some of these parasites actually evolve into beneficial bugs. The take their little bit, but they also do some extra bit for the host. Both sides win, this is symbiosis. Imagine that the SETI@home also defragmented your disks or optimized performance some how in exchange for running on your system, same thing.
Now consider for a second that Conficker patched some security holes after entering the host system....Isn't it doing some little bit of good? Not wanting it on my box, just showing how Conficker's security is also beneficial to the host machine. Their goals align... Consider also, how does Google's goals align with mine when I use online Docs?
I think there will be a real blending here. Trojans will get more beneficial and less intrusive, people will tolerate them because they do something useful, and a new class of free (as in beer) software will evolve.
You can't tell me how wrong Apple is for having a closed store with strict app approvals and how other mobile makers will outdo Apple with their open stores and then wrote a malware-scare article about how app stores are too open and lump Apple in with everyone else. It's one or the other. Everyone else has Jas apps you can install from the Web and Apple has C apps you can't.
Apple has an actual record here. They've been malware-free 100% for 2 years, 200,000 apps, over 1 billion downloads, with consumer users who don't know what malware is, doing 1-click installs.
How you can write an article like this saying "app stores should be more closed" and not mention Apple's is closed is beyond me.
And there has been no native malware on iPhone. Also bullshit.
And although Apple may not strictly guarantee zero malware, they are actively policing every app. To pretend that's like having no cops, as on the other platforms, is ridiculous.
Awful article. Just fucking awful. Do some fucking research!
It'be interesting to have open source packages clearly specified in the app store, especially Android's app store. Maybe even an option to only show open source software could help. How much malware do you see in your typical Ubuntu, Debian, or Fedora repository?.
Et tu, Fartapp?
How many more years will slashdot have an off-by-one error on your Score in your profile?
Any app on the blackberry requires user intervention before it's allowed to fetch URLs, open raw sockets, read email, dial the phone, get your location, manipulate the address book, or do any other damned thing. [...] It actually seems much less vulnerable to trojans and spyware than a PC.
That does not mean much for a trojan. A trojan could masquerade as some tool or game that 'needs' access to all of these, and the Trojan user would happily grant it those rights.
what was the app? name it, please.
I was testing SSH clients for the iPhone so I bought about a half dozen, one of them flat out didn't work (filled out the problem form, no response). One didn't allow you to change the port to something other than 22. Only one app allowed you to import a key. Only one (a different one) allowed you to have more than one key. In other words one was completely broken, one was arguably missing basic functionality and all were missing common functionality. In other words the quality was abysmal.
I also tried to contact them, one had a website listed that was several years out of date and had no contact info (no names, emails, phone numbers, nothing). Not exactly inspiring of trust.
Based on this I can simply say I will not use them, for one thing they don't work terribly well. But mostly because who knows what they do in the background. Perhaps every 50th connection, assuming it is a Tuesday they send your connection details (user name, password, IP, etc.) in an outgoing packet to the bad guy that wrote the app.
I actually regret going with the iPhone (not that the android is much better in this respect). I'm so used to Open Source software having to use a closed source application from a basically unknown source (as opposed to someone who is at least known and ideally has a decent reputation they want to protect) is foreign to me and to be honest a deal breaker.
what was the app? name it, please.
He can't because it doesn't exist. That's why he posted AC.
This ain't rocket surgery.
Rife based on a blog article that does not mention a single app or what it does that is malicious?
People keep making these claims, it is fairly clear they are all BS..
My buddy had an android app that shot his mother, burned down his house and ate his dog! Look! I can lie too!
Unfortunately your theories get all mangled when they bounce into reality.
and it's absolutely great.
STOP . AMERICA . NOW
Are you incapable of reading?
From the first goddamn page, a hosts file that details dozens (hundreds?) of apps that silently data mine the user. http://www.textbin.com/show_text.php?id=x6430
From http://developer.apple.com/iphone/library/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/ApplicationEnvironment/ApplicationEnvironment.html
The Application Sandbox /ApplicationRoot/ApplicationID/
For security reasons, iPhone OS restricts an application (including its preferences and data) to a unique location in the file system. This restriction is part of the security feature known as the application’s “sandbox.” The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. In iPhone OS, an application and its data reside in a secure location that no other application can access. When an application is installed, the system computes a unique opaque identifier for the application. Using a root application directory and this identifier, the system constructs a path to the application’s home directory. Thus an application’s home directory could be depicted as having the following structure:
During the installation process, the system creates the application’s home directory and several key subdirectories, configures the application sandbox, and copies the application bundle to the home directory. The use of a unique location for each application and its data simplifies backup-and-restore operations, application updates, and uninstallation. For more information about the application-specific directories created for each application and about application updates and backup-and-restore operations, see “File and Data Management.”
Important: The sandbox limits the damage an attacker can cause to other applications and to the system, but it cannot prevent attacks from happening. In other words, the sandbox does not protect your application from direct attacks by malicious entities. For example, if there is an exploitable buffer overflow in your input-handling code and you fail to validate user input, an attacker might still be able to crash your program or use it to execute the attacker’s code.
See also protections around location, camera, microphone, address book access, and network interfaces that "let users know in simple words what an application will do"
Since Apple has an apparently arduous approval process for their app store, I'm assuming that they guarantee everything against this sort of foolishness.
And I sense that we've discovered the next year's Underhanded C Contest thema. :-D
"Design a piece of code that looks like a genuine mobile funny game, but in fact turn the smartphone into a zombie node of a powerful and evil bot-net..."
"Bonus point if your game actually passes Apple's App Store certifications".
I can really see it coming
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'm not a big fan of the Steve Jobsian App Store lockdown policies, but at least inside of that, if an app is discovered to be malicious, Apple can wipe it from everyone's phones I believe without even asking them.
Currently hooked on AMP
I know this was modded flamebait, and probably was intended as such, but I can see a less snarky version of this message being EXACTLY what Apple would want to push.
Android has the right idea, in my book, they just need to take it further and allow users to deny the permissions that are asked for in the manifest. The manifest lists all of the secure things that can be accessed by the app, there just needs to be a line-item veto. A timer/stop watch application does not need 'Full Internet Access' or 'Access to My Contacts'.
http://blog.slaingod.com
Okay, thank you, and I retract my previous statement.
That said, if you were implying that I'm a professional astroturfer for Apple (or anyone else), you are very much mistaken. When Apple fucks up, I'll jump on them just as hard as anyone else. At the same time, I do feel the need for balance in these forums and when I see an AC making an unsubstantiated claim they way you did, I'm going to say something about it. If that bothers you, then stop making those types of posts. Unless your Slashdot nick is your real name, there's not much chance that anything you say here is going to be traceable back to you anyway.
This ain't rocket surgery.
A maliciously written app has no requirement to use RIM's API subset. An app can abuse any vulnerability of the OS because no one ensure's it doens't. On the iPhone platform, use of those APIs is the only way to access such content and apps are explicitly sandboxed from each other. Custom code scans each submitted app, and ensures that calls to unpublished APIs don't happen. Custom code inside of an app is simply denied access to anything outside of its own boundary. Only apps distributed outside of Apple's ecosystem can perform malicios tasks, and even those are limited to API calls, so what can it do, steal your contacts? On RIM or Android one app can access content in a browser opened by another, read keyboard inputs to another app, access any files in the system, and do just about anything it wants, and if it uses the right hack, the user is never prompted.
There is no contest in life for which the unprepared have the advantage.
http://www.gurenzeytin.com/ ayvalik zeytinyagi