In any given app for smartphone, security risks are being neglected

With the proliferation of so many smartphone apps, several researchers believe developers are neglecting to take the time necessary to sufficiently secure them. Ron Condon reports.

Applications downloaded onto smartphones could harbour unseen dangers and usher in the next wave of security vulnerabilities. Industry experts say that in the battle for supremacy among the different platforms, smartphone security risks and privacy are being overlooked as the vendors try to build up the store of applications they support.

I'm waiting for the first brush with the Information Commissioner, when a smartphone gets lost with loads of personal information on it. It will take a big breach to make people wake up to the danger.
Neil O'Connor
Managing DirectorActivity Information Management Ltd.

"Smartphones tend to have a very closed security model," said Neil O'Connor, managing director at Hampshire-based security consultancy Activity Information Management Ltd.

"The app stores don't seem to do much security testing. They test more for functionality. It is not difficult to get an application approved, and [the platform vendors] are very cagey about what security testing they do. We suspect it's very little."

Chris Wysopal, CTO at Massachusetts-based application testing company Veracode Inc., agreed, and said little thought is being given to the hidden features in any app for smartphones that could potentially make it a danger to users and their employers. He said his company has already written and demonstrated proof-of-concept code that could trick users into downloading spyware onto their BlackBerry devices.

While many of the smartphone platform providers have done a good job in making their operating systems secure, Wysopal said, they do little to test approved apps for security. He said the danger lies at the application level, where Trojans could be easily installed and threaten the privacy and data of owners of the devices.

"Trojans account for 70% of malware on PCs. If that is how the criminals are operating on PCs, it is logical for them to move onto smartphones where there is no protection against this type of attack. The phones are even more vulnerable than your average Windows PC, which has antimalware protection," he said.

Although some smartphone platform providers, such as Apple Inc., say they approve and test applications that appear on their application download stores, the details of the testing process are still far from clear.

"They say they approve or test each app, but they say nothing about testing for malware, security or privacy," Wysopal said. "They only talk about the highest level. Once you get below that, it is completely opaque. They don't say what kind of testing they do. Do they test for privacy leakage? Could apps be stealing private data? They do not mention what they are trying to block."

The sheer volume of new applications being created -- plus the desire of each platform to build up its volume of applications -- suggests that "rigorous testing probably is not happening," Wysopal said.

He suggested that users could protect themselves by configuring their devices more securely, but few users take full advantage of their devices' security features. "The BlackBerry has the most advanced security functionality of any of the devices, but only a small proportion of smartphone users use any of the security functionality. They don't set up their permissions properly, so you could unknowingly install a piece of spyware on your BlackBerry, and that could access all the data on the device."

Veracode's proof-of-concept spyware was demonstrated at a hacker convention in February, and showed how an application using standard BlackBerry APIs could access and leak sensitive information.

Dave Jevans, CEO of IronKey Inc. in California and chairman and founder of the Anti-Phishing Working Group, said he also expects the problem to get worse. "We've seen a couple of fake banking apps so far, and I'm frankly surprised we've not seen more. But my feeling is that smartphones will be the next playing field for cybercriminals," he said.

He added that it is unclear how some of the platforms separate multiple applications and whether they could prevent a malicious application from stealing information or credentials from other apps on the same device.

Activity's O'Connor said untested apps present "a huge risk" and that, whenever possible, companies should block users from downloading them or should operate a whitelist of known secure applications.

"People are buying consumer phones which have the same functionality as a laptop, but they don't have the same level of security," O'Connor said.

For the moment, O'Connor is advising clients to lock down devices where possible, but admits it is a difficult task. "The problem is that the phones often don't belong to the companies. People want to use their iPhones, and the biggest miscreants are often at the top of the organisation. Enforcing a lockdown policy is a bit like pushing water uphill, and IT departments are fighting a losing battle," he said. "I'm waiting for the first brush with the Information Commissioner, when a smartphone gets lost with loads of personal information on it. It will take a big breach to make people wake up to the danger."

Read more on Endpoint security