Mobile Security Woes Go Beyond Malicious Apps

If, like most Americans, you’ve developed an attachment to your mobile phone that borders on the unnatural and have a hard time going 11 seconds without checking email or texts, you’d do well not to attend a talk by Zach Lanier and Mike Zusman anytime soon. The pair discussed a variety of weaknesses in several mobile platforms and showed off enough clever attacks in their talk at SecTor in Toronto last week to make the listener want to pull the SIM card from his phone, set it down and back quietly away.

If, like most Americans, you’ve developed an attachment to your mobile phone that borders on the unnatural and have a hard time going 11 seconds without checking email or texts, you’d do well not to attend a talk by Zach Lanier and Mike Zusman anytime soon. The pair discussed a variety of weaknesses in several mobile platforms and showed off enough clever attacks in their talk at SecTor in Toronto last week to make the listener want to pull the SIM card from his phone, set it down and back quietly away.

The problems and attacks that Zusman and Lanier, consultants with the Intrepidus Group, discussed are not of the super-sexy variety that inspire scary headlines, but they are serious issues that serve to show that the overall security picture on mobile platforms is a rather ugly one. For a growing number of users, the smartphone is their primary computing device, it’s how they handle email, online banking, shoping and other sensitive activities and in many cases the security models on these devices leave plenty to be desired.

One major weak point for most smartphones is the application level. Devices such as iPhones and Android phones that have dedicated application markets tend to trust implicitly any app that comes from that store. And as Zusman and Lanier showed, there are any number of ways to abuse that trust, especially when the apps make it easy for you.

In one example, Lanier talked about Foursquared, an Android application for users to access the Foursquare service. The application has support for both basic HTTP authentication as well OAuth, a more advanced option that includes some security measures. However, Foursquared used the basic authentication mechanism, which sends user credentials in plaintext over HTTP. And although smartphones typically can use either their carrier’s data network or WiFi for data transfer, Lanier said many apps prefer to use WiFi, making the interception of the user credentials a snap.

Many of the bugs and attacks that Lanier and Zusman discussed are similar to problems that have plagued traditional Web applications for years: lame authentication schemes, sending sensitive data in plaintext, placing too much trust in the client and so on. The mobile industry is in many cases simply repeating mistakes made by Web app developers 15 years ago.

Malicious apps have become a serious concern on all of the major smartphone platforms as attackers have begun to take advantage of both the trust that devices afford apps from their proprietary stores and the attendant trust that users give those apps.

“A lot of this is Web application problems we’ve seen for years,” Zusman said. But not all of it; some are device issues.

Another example the pair showed was a framework for the small HTTP and JavaScript widgets that run on a number of mobile platforms. The framework has some custom permission settings that prevent an attacker from modifying any content of a widget. So Lanier and Zusman took another tack and discovered that other widgets running on the framework have the ability to mess with the content of widgets, so they wrote a custom Android app to do just that. The malicious app was able to execute arbitrary JavaScript on the phone.

And it’s not just smartphones that are problematic, either. Zusman and Lanier talked about a problem they found in one mobile device based on an older platform that enabled them to intercept the traffic between the device and a remote server and then eventually work out the user’s authentication token. The application, designed to back-up data from the device, responded to SMS messages from the server. After debugging the app’s code, they redirected the client to a server they controlled.

They then analyzed the traffic between the client and server and found that the client’s authentication token was an MD5 hash based on a load of data previously sent to the server. They were able to reproduce the hash after a handful of attempts, and they the developed a custom app that looked for data leakages from the remote server and gathered enough data to hijack other users’ accounts.

Just as the smartphones trust the apps from their stores, the networks that devices run on tend to trust those devices, and as Lanier and Zusman showed, there’s always a way to use that trust to your advantage if you’re an attacker.

Suggested articles