Story image

Vulnerable mobile apps ‘just waiting to be exploited’

19 Mar 2015

Hackers are finding ways to get around stringent app store controls by exploiting existing non-malicious apps that are vulnerable.

That’s the verdict of AVG chief technology officer Yuval Ben-Itzhak, who says it can be done via a different app, by inspecting data on transit or even via the web, while users browse on their mobile browser.

In a blog post Ben-Itzhak says there are three main ways an app can be vulnerable to hackers: data transmission, data storage and third party components.

On the data transmission side, Ben-Itzhak says almost all mobile apps transmit and receive data between the device and remote servers – allowing apps to update, send stats, check licenses and monitor analytics, for example.

But if there is no encryption for data leaving a device, hackers can ‘look inside’ it and get passwords, credit card numbers or other personal details.

“This is most common on public Wi-Fi hotspots like those found in airports, malls or coffee shops,” he says.

Certificate validation can also be an issue, he says.

“When apps send data to a remote server, it’s important that it is the correct one and not one owned by a hacker. The use of digital certificates on the server can help the app validate the server’s identity. Without these digital certificates, data can be at risk.”

On the data storage side, he says most mobile apps store data locally, often in the form of log files.

Again, a lack of encryption of private data can be dangerous, he says.

“A separate app installed on the device can potentially have a permission to access such files, ‘look inside’ and retrieve personal data.

Files left after uninstall can also later be accessed by other apps to retrieve data.

Developers reusing components (SDKs) from third parties in the creation of apps can also be an issue, with Ben-Itzhak saying the toolkits are not always secure.

He cites several examples including Android WebView, used by ‘most’ Android developers to download and render web content. “This component was identified to be vulnerable to remote attacks - CVE-2012-6636.

Ben-Itzhak is urging developers to secure their apps by learning about secure coding and vulnerable SDKs to avoid common mistakes.

Security testing should be embedded in general quality assurance procedures, automated tools should be used to statically and dynamically scan and test for vulnerabilities and unneeded functionality should be removed from code. Apps that are no longer supported should have distribution stopped, he says.

And he says Apple’s App Store and Google Play also have a role to play.

“The developers are not entirely responsible for eradicating vulnerable apps,” he says.

He says improvements can be made to help prevent the distribution of vulnerable apps, including improved communication between app stores and developers when issues arrive.

Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
Opinion: Meeting the edge computing challenge
Scale Computing's Alan Conboy discusses the importance of edge computing and the imminent challenges that lie ahead.
Alibaba Cloud discusses past and unveils ‘strategic upgrade’
Alibaba Group's Jeff Zhang spoke about the company’s aim to develop into a more technologically inclusive platform.
Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."