With smartphones becoming more ubiquitous, end users are placing a lot of trust in the applications running on their devices. But two security researchers plan to present data at Black Hat 2010 that shows many of the applications running on mobile devices are buggy, harvest far more information than is necessary and could contain the loopholes needed to steal sensitive data.
Kevin Mahaffey and John Hering of mobile security company Lookout, spent months analyzing nearly 300,000 freely available applications from the Google Android marketplace and Apple App Store. The two researchers will demonstrate that users of smartphones should be leery about the applications they're using. While many applications built and backed by trusted companies like eBay and Amazon.com typically are higher quality, those built by third party developers have a shoddy track record. Evidence shows many developers are copying and pasting code and failing to understand exactly what the application does.
"These devices have been moving from phones to actual computers in your pocket," Hering said. "There's such a proliferation of mobile broadband and mobile data usage primarily driven by the applications and browsing the web that the actual need for security and the overall state of how people use their devices has really fundamentally changed."
Hering said location data, mobile device identifiable information and other use patterns are being collected by applications that most users would consider fairly harmless. For example, the two researchers found a simple wallpaper application, designed to put pictures on the device's home screen, collecting location data. In addition, the two mobile security experts plan to demonstrate a new vulnerability.
Mahaffey and Hering are among hundreds of security researchers converging on Las Vegas this week to attend the two day Black Hat 2010 briefings held at Caeser's Palace. While researchers plan to demonstrate mobile-based attacks and issues threatening privacy at Black Hat, an entire conference track is devoted to infrastructure threats. Several researchers plan to highlight the weaknesses in SCADA systems, the underlying software that manages systems at power plants, chemical refineries and other critical facilities. Jonathan Pollet, founder and principal consultant with Red Tiger Security, will present research into the kinds of vulnerabilities that could enable hackers to gain access to the underlying network layers of the power grid.
In addition, researchers will demonstrate weaknesses to SSL, the transport layer encryption protocol used by websites to protect data. Three security experts, Elie Bursztein, Baptiste Gourdin and Gustav Rydstedt will demonstrate how to attack storage mechanisms to tamper with a SSL session. Ivan Ristic, of Qualys Inc.'s SSL Labs will present the results of his research study analyzing SSL use to document configuration errors that weaken thousands of websites. SSL got the reputation of being a protocol that just works, but the protocol itself has small problems that need to be addressed, Ristic said.
"SSL is one of the most secure protocols we have and it's the security backbone of the Internet, yet we are spending very little time researching how it is used and helping users everywhere configure it and use it properly," Ristic said. "Somehow we got distracted over the years and went on to pursue other security issues." Web application security
The Black Hat 2010 agenda is littered with sessions and tutorials on securing custom-built or off-the-shelf Web applications. Homegrown or customized code has always been difficult to put through the security wringer, mostly because of business reasons that demand applications get out the door in a hurry. Organizations are often content to catch bugs and vulnerabilities post-production.
But what about third-party code? Widgets, applications and advertising modules are prominent fixtures on many Web applications, and that code is contracted in and dropped onto a website by a third-party provider. These third-party apps are tempting targets for an attacker, especially when the apps are adding functionality to travel, entertainment, publishing and technology websites. Even sites in sensitive industries such as health care or financial services, make use of these third-party apps and widgets, to bring additional functionality to users.
Often, Daswani said, the issue comes down to trust. The widget provider, for example, could be an attacker masquerading as a provider; the widget could be compromised; or it could be using DNS cache poisoning to redirect site visitors to an attack site. The research also points out similar issues with third-party advertising that could be serving malware or redirecting users to attack sites. The main problem is that advertising providers always have multiple partners, and chances are one or all of those partners don't vet the security of ad content. Third-party applications also exploit the trust between site visitors and the site. Apps could be vulnerable to web-based attacks such as SQL injection or cross-site scripting; host sites need to ensure providers are vetting code for security vulnerabilities.
"It's important to raise awareness," Daswani said. "Web 2.0 is great, but when additional functionality and structure is introduced, it's important to make sure risk mitigated and make sure monitoring in place. "