Slashdot Mirror
BBC Builds Smartphone Malware For Testing Purposes
siliconbits writes "BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions."
Please turn on JavaScript. Media requires JavaScript to play.
OK I'll just....
...heeeey wait a minute. You almost had me there, but you'll have to try harder than that!
Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!
Is TFS politely admitting that "advertising" and "spying" have very similar prerequisites?
We know it's impossible for Apple or Linux to get malware, so clearly it was only done for Windows Mobile.
I didn't see them mention it, but I think it's actually a blackberry?
What's the difference between "malicious" and "beneficial", when it comes to software?
Just about every "malicious" action that malware takes is not "malicious" for what it actually does (set cookies, record passwords, send data in response to user actions, create accounts, encrypt things). All of these things are also functions you sometimes want software to do. The maliciousness is in who data gets sent to, whether it does one thing when it presented another thing in the UI, or if it's not announced. Therefore, how can you programmatically tell malware from not-malware? You can't. And therefore, if the user has the ability to install software, all you have to do to get malware onto a device is lie about it.
Malware isn't defined by what it does. It's defined by deception and lack of consent, and only by deception and lack of consent.
And if you want widespread adoption of your malware? Just wait. Make the "trojan" part of the malware (the game, app, etc.) useful, and do ONLY that part, for a while. Don't start stealing passwords until 6 months later. Include the encryption-extortware in the 3.2 update. Cache the keystrokes and send them only when you embed a keyphrase in your product website, and upload them during an "expected" transaction such as an upgrade or content download. Build the reputation for trust and the block of reviews saying "it's never caused me trouble", then cash it in all at once.
Short of human review of the software in question prior to general availability, you're screwed. (Even then you might be, as human review isn't infallable, but it's certainly not useless) With this in mind, whether you agree that it's worth the hassle/restrictions or not, isn't Apple's AppStore strategy just a little more understandable from an objective point of view?
Maybe it's not ALL about moustache-twirling and staking out new liver donors. Maybe, just maybe, at least part of Apple's "walled garden" motives are benevolent. Maybe it's not a simple question, but a complex one, requiring not simple answers, but complex and rigorous thought. And maybe it's not black-and-white, but shades of gray with the weighting different for every user.
Everybody gets what the majority deserves.
When someone's been to Blackhat recently. There were at least half a dozen step-by-step presentations about every aspect of cellphone malware.
What's the difference between "malicious" and "beneficial", when it comes to software?
From the user's point of view, the threats are modeled rawther well on the Bitfrost page. But from a platform owner's (e.g. Apple, Microsoft, Sony, Nintendo) point of view, the threats are anything that would either tarnish the brand or compete with the platform owner.
I'll open with a disclaimer: most of my smartphone experience and awareness is centered around Android phones. That said, this article is yet another with a standard theme: "Remember, you stupid public, that smartphones are still computers". This is another in the a set of articles about people who write phone applications requesting a smorgasbord of permissions, receiving them from the user, and using them maliciously. Put simply, this is another in the formulaic series:
Mystique of Computers * Fear of Malware * Novelty of Phones = Profit
Chris Wysopal, co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999.
No offense, but Chris Wysopal is an idiot. Modern smartphones run every application in a sandboxed per-application environment with fine-grained permission controls that are, to some degree, opaque to the user. These applications, by a well-defined default, must exist in a central repository managed by a powerful authority and receive realtime user reviews. This is nothing like PCs in 1999 (remember, that was Windows 98). Then again, he's certainly quite biased, as his company makes a living certifying applications.
All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use.
Yes, of course they were. BBC didn't actually do anything innovative, like find an exploitation or break out of the sandbox. They just abused the OS's granted privileges to the fullest extent. Is this actually a problem? Given any set of privileges and any degree of fine-grained control, you can still abuse whatever you're given to the fullest extent.
At least one fundamental thing failed here: the user installed a phone game that requested privileges such as:
As the owner and user of the device, it is ultimately your responsibility to determine what software you install on your phone. If you are downloading a single-player game that asks for these kinds of permissions, you had damned well better check out the source of that game. If it's not a company that you are comfortable trusting and you still install it, then you are (frankly) stupid. BBC does, of course, presume that its users are stupid.
But that's the problem ... no amount of protection will allow stupid people have free access to a computer and remain protected. You have to strip away something from one of these factors ... either whittle down free access or reduce the base of stupid users. Better design models only serve to decrease the thresholds required for either.
Is there an inherent issue with those kinds of permissions being available and grantable? Sure, there is! Applications, especially closed-source ones, are effectively black boxes. The permissions that I am presented with at installation-time are, in fact, my only real insight as to what the application is capable of doing. Arguing for a finer grain of control is pointless, though. Regardless of what permissions are grantable, you will never circumvent the fundamental problem that stupid users will blindly install applications. Presenting them with more information will not change that fact.
It is the job of the OS vendor (Apple, Google, RIM, etc.) to declare a set of permissions that reasonably mitigates the dangers of overly-gener
Does it send an SMS to a premium number in Russia?
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
Same thing that happens on a regular desktop computer.... BUT ON A PHONE! So it's new news!
The news is that phone OS'es are being shipped in 2010 that aren't preventing the common security problems we've seen on desktops for the past few decades.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Instead, when a user opens an app they should be asked at the time of access to a resource if it's OK to access that resource. Now here I'm sure you start to be reminded of Vista UAC and innumerable "Are you sure" dialogs. But I don't mean every tine, I mean only once or twice and then the app is granted that permission permanently.
Yes it means that an app could potentially do something later on after being granted some permission. But it also would block a lot of obviously wrong things from working, like opening a media player and then being asked if it's OK to SMS a big ol' number you do not recognize.
You mentioned the shortcomings yourself; this wouldn't stop any serious malware author. They would either wait out whatever "trial period" you impose, or find a clever way to masquerade their malice to seem innocent. With application models like these, you really can't beat around the bush, and solutions that try and mitigate will only find their limits probed, explored, and worked around.
If you have to rely on that, the system will not work. Users don't want to, and will not be "educated" to. They want to buy and use something. You can't make users do something they don't want to, any more than force everyone to carefully listen to the flight attendants on an airline explain the safety procedures beforehand.
Education isn't as impossible as you seem to think it is. It is a compromise between the vendors and the users. I'll use browsers as examples: you'll never get Joe Averageuser to validate SSL certificate roots of trust by clicking through dialogues. You will, however, get very far giving him a simple piece of advice, like check the color of the bar before you use a banking website.
That is what phone OS's need to be designed to do (and they are, hence the "bullshit" in my title). They need to simplify the absurdly-complex system that is a mobile phone down to a manageable set of qualities that everyday users can handle and make intelligent decisions based on. You will always find your idiots, but smart OS / UI design can put the top 99% of people in a position to make the right call, and that's very powerful.
Existing mobile phone UIs certainly have plenty of room to grow, but the vendors understand the psychological and intellectual landscape, and I believe strongly that they are moving in the right direction at a very respectable pace.
You sign up for iPhone development and give them your name and address.
And I'm certain that Apple checks to make sure that those names and addresses are completely legit.
Of course, I also believe in the Easter Bunny.
A couple of years ago, I used one of my developer discounts to buy a machine for a co-worker. We had it shipped to his house. For the next six months, when I signed on, my account listed my first name and his last name.
Oh, but you can always look up the info? Here's a copy of Hitchhikers Guide to the Galaxy [Redirects to iTunes]. Go click on "Jeffrey Beyer Web Site." Hell, if Apple can't even catch things like that in their own store, I don't hold much stock in them being able to ferret out a clever hacker.
And I'm certain that Apple checks to make sure that those names and addresses are completely legit.
Why is that so hard to believe?
If you are selling any app, they have to get bank contacts from you, and it cannot be just any bank - they have to support SWIFT codes, which means a pretty large bank. Between the two things Apple has a pretty good lock on who you are.
For free apps they do not require a bank account but they do verify your address.
A couple of years ago, I used one of my developer discounts to buy a machine for a co-worker. We had it shipped to his house. For the next six months, when I signed on, my account listed my first name and his last name.
Right, but they don't have the same degree of controls around developer accounts as they do iPhone developer accounts. It's a different level of checking (as in they actually do some). They take knowing who you are much more seriously.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
In addition to the bank checks that the other poster mentioned, you also have to supply them with tax information, and company incorporation documents if applicable. The process too a few weeks for us, and entailed a few phone calls and physical mail in both directions.
Apple certainly knew we were more than a made up name before we were allowed to upload our first app.
So maybe that easter bunny is more real than you originally thought.
"Must...not...play...must...avoid...infection."
The nuns told me the same thing.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."