MWR InfoSecurity sounds mobile security alarm

Free apps could be providing hackers with a backdoor ro gain access to sensitive user data according to MWR InfoSecurity

The new year has barely started but already users are being urged to be on their guard against security threats they are introducing to their mobile phones via downloading free apps.

Research undertaken by MWR InfoSecurity has found that hackers are using some of the vulnerabilities in free apps to access user's sensitive data and in some cases even gain control of the device.

The vendor has fingered the code that advertisers and third parties use as the problem with hackers using that as the entry point to gain access to the same data that is available to advertisers.

“Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS," said MWR senior security researcher Robert Miller.

“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as ‘cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data," he added.

Millar has been actively trying to get the mobile security issue higher up the agenda and recently was on Channel 4 demonstrating just how Apple and Android devices could be compromised.

“Consumers need to understand the eco-system of mobile applications. Free apps are supported by ad networks that trade in data. While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network," he said.

The advice from MWR is to check that the permissions that the app is asking for on the device are okay and if not then the download is not carried out.

Read more on Business Smartphones