Slashdot Mirror
BBC Builds Smartphone Malware For Testing Purposes
siliconbits writes "BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions."
Please turn on JavaScript. Media requires JavaScript to play.
OK I'll just....
...heeeey wait a minute. You almost had me there, but you'll have to try harder than that!
"Please turn on JavaScript. Media requires JavaScript to play."
Must...not...play...must...avoid...infection.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!
Is TFS politely admitting that "advertising" and "spying" have very similar prerequisites?
And what the civilian/press airport "security testers" said. Will the press be brought to justice too?
We know it's impossible for Apple or Linux to get malware, so clearly it was only done for Windows Mobile.
I didn't see them mention it, but I think it's actually a blackberry?
"A very obvious tell-tale sign on the phone is all of a sudden your battery life is deteriorating," he said. "You wake up one morning and your battery has been drained then that might indicate that some of the data has been taken off your phone overnight."
*snicker* Quick! Put more data in my phone to charge it back up!
I can see where he's coming from with that though, a smart-smartphone would conserve battery whenever possible by powering down components and so constant active use could drain the battery quicker. But any GOOD malware would only send out data at regular intervals, not all the time, so this would be a useless check. A BAD malware author would learn this pretty quickly after he DDoSs his own servers.
What's the difference between "malicious" and "beneficial", when it comes to software?
Just about every "malicious" action that malware takes is not "malicious" for what it actually does (set cookies, record passwords, send data in response to user actions, create accounts, encrypt things). All of these things are also functions you sometimes want software to do. The maliciousness is in who data gets sent to, whether it does one thing when it presented another thing in the UI, or if it's not announced. Therefore, how can you programmatically tell malware from not-malware? You can't. And therefore, if the user has the ability to install software, all you have to do to get malware onto a device is lie about it.
Malware isn't defined by what it does. It's defined by deception and lack of consent, and only by deception and lack of consent.
And if you want widespread adoption of your malware? Just wait. Make the "trojan" part of the malware (the game, app, etc.) useful, and do ONLY that part, for a while. Don't start stealing passwords until 6 months later. Include the encryption-extortware in the 3.2 update. Cache the keystrokes and send them only when you embed a keyphrase in your product website, and upload them during an "expected" transaction such as an upgrade or content download. Build the reputation for trust and the block of reviews saying "it's never caused me trouble", then cash it in all at once.
Short of human review of the software in question prior to general availability, you're screwed. (Even then you might be, as human review isn't infallable, but it's certainly not useless) With this in mind, whether you agree that it's worth the hassle/restrictions or not, isn't Apple's AppStore strategy just a little more understandable from an objective point of view?
Maybe it's not ALL about moustache-twirling and staking out new liver donors. Maybe, just maybe, at least part of Apple's "walled garden" motives are benevolent. Maybe it's not a simple question, but a complex one, requiring not simple answers, but complex and rigorous thought. And maybe it's not black-and-white, but shades of gray with the weighting different for every user.
Everybody gets what the majority deserves.
When someone's been to Blackhat recently. There were at least half a dozen step-by-step presentations about every aspect of cellphone malware.
What's the difference between "malicious" and "beneficial", when it comes to software?
From the user's point of view, the threats are modeled rawther well on the Bitfrost page. But from a platform owner's (e.g. Apple, Microsoft, Sony, Nintendo) point of view, the threats are anything that would either tarnish the brand or compete with the platform owner.
I saw this story on a google news feed and the headline read "Smart phone app written by BBC reporter steals data" , now how many people read this title and will not download any apps by the bbc.
I'll open with a disclaimer: most of my smartphone experience and awareness is centered around Android phones. That said, this article is yet another with a standard theme: "Remember, you stupid public, that smartphones are still computers". This is another in the a set of articles about people who write phone applications requesting a smorgasbord of permissions, receiving them from the user, and using them maliciously. Put simply, this is another in the formulaic series:
Mystique of Computers * Fear of Malware * Novelty of Phones = Profit
Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.
No offense, but Chris Wysopal is an idiot. Modern smartphones run every application in a sandboxed per-application environment with fine-grained permission controls that are, to some degree, opaque to the user. These applications, by a well-defined default, must exist in a central repository managed by a powerful authority and receive realtime user reviews. This is nothing like PCs in 1999 (remember, that was Windows 98). Then again, he's certainly quite biased, as his company makes a living certifying applications.
All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.
Yes, of course they were. BBC didn't actually do anything innovative, like find an exploitation or break out of the sandbox. They just abused the OS's granted privileges to the fullest extent. Is this actually a problem? Given any set of privileges and any degree of fine-grained control, you can still abuse whatever you're given to the fullest extent.
At least one fundamental thing failed here: the user installed a phone game that requested privileges such as:
As the owner and user of the device, it is ultimately your responsibility to determine what software you install on your phone. If you are downloading a single-player game that asks for these kinds of permissions, you had damned well better check out the source of that game. If it's not a company that you are comfortable trusting and you still install it, then you are (frankly) stupid. BBC does, of course, presume that its users are stupid.
But that's the problem ... no amount of protection will allow stupid people have free access to a computer and remain protected. You have to strip away something from one of these factors ... either whittle down free access or reduce the base of stupid users. Better design models only serve to decrease the thresholds required for either.
Is there an inherent issue with those kinds of permissions being available and grantable? Sure, there is! Applications, especially closed-source ones, are effectively black boxes. The permissions that I am presented with at installation-time are, in fact, my only real insight as to what the application is capable of doing. Arguing for a finer grain of control is pointless, though. Regardless of what permissions are grantable, you will never circumvent the fundamental problem that stupid users will blindly install applications. Presenting them with more information will not change that fact.
It is the job of the OS vendor (Apple, Google, RIM, etc.) to declare a set of permissions that reasonably mitigates the dangers of overly-gener
Does it send an SMS to a premium number in Russia?
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
What needs to happen is a general education.
If you have to rely on that, the system will not work. Users don't want to, and will not be "educated" to. They want to buy and use something. You can't make users do something they don't want to, any more than force everyone to carefully listen to the flight attendants on an airline explain the safety procedures beforehand.
And frankly, I do not see that as unreasonable.
I like the Android security model with fine grained permissions but do not like how you agree to all the parts up front. In a long list it's too easy to slip some permission in that seems meaningless to the user, in fact to most people I daresay they all would be.
Instead, when a user opens an app they should be asked at the time of access to a resource if it's OK to access that resource. Now here I'm sure you start to be reminded of Vista UAC and innumerable "Are you sure" dialogs. But I don't mean every tine, I mean only once or twice and then the app is granted that permission permanently.
Yes it means that an app could potentially do something later on after being granted some permission. But it also would block a lot of obviously wrong things from working, like opening a media player and then being asked if it's OK to SMS a big ol' number you do not recognize.
This change gets you a much longer way to letting users do what they want without terrible implications for them.
Also one final change would be that all security dialogs instead of saying something like "allow" and "deny", should instead be worded more like "allow" and "Hell No".
"There is more worth loving than we have strength to love." - Brian Jay Stanley
How about requiring all software be written and approved and digitally signed by licensed engineers with legal responsibility.
You sign up for iPhone development and give them your name and address.
Apart from the licensing thing, it's pretty much the same - if you tried something bad you would be legally liable and Apple could find you.
I don't know the licensing thing really buys anyone but Apple anything, making it easier for them to determine if they should register you or not. It may go that way someday I suppose, but imagine the hue and cry if they do that...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!
The news is that phone OS'es are being shipped in 2010 that aren't preventing the common security problems we've seen on desktops for the past few decades.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Seeing as how any app that's unsigned cannot do this sort of stuff without the user being asked (probably several times) if it's ok? But hey, Symbian OS isn't Linux based so it must be crap, eh?
This is totally a non story. Man tries to write proof of concept malicious phone app. There is so little content in the story, the BBC can easily re-use this story again and again without worrying about it losing relevance. Any vaguely competent programmer could have easily done whatever they did (don't bother checking the article they don't explain anything). The sad fact is, there probably really are thousands of "hackers" out there trying to write malicious apps and we should all be careful with security blah blah blah, but instead of leading to any actual news in this area the BBC only want the "big bad Internet" angle.
The BBC have never quite "got it" when it comes to technology and technology stories. Everything has to be dumbed down enough so that the technical content is zero, but I don't think this is because they are trying to make it easy to understand, it's because they never understood themselves in the first place. Therefore, they eat up promo stories like this one, fed to them from companies in the IT security business saying how "scary" things are, and amping up the FUD.
At the end of the day, you don't need to go to the trouble of writing a malicious app; as Kevin Mitnick would say, you just ask people for the information you want. But c'mon BBC, a 14 year old would be able to write a much better, easy to understand, technically competent, story with some detail. I'm so glad I'm not paying a TV licence fee any more.
In many ways mobile phones are more secure than desktops.
I agree with what you said.
I agree mobile apps are already by default more secure than desktop apps, but that is why the process of allowing the user to remove some security blocks is even more crucial to get right. Because a mobile app is only as secure as the degree to which you maintain the security blocks around it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley