SAN FRANCISCO -- A panel of mobile security experts painted a bleak picture of the state of mobile application security, warning IT security professionals that the potential exists for the emergence of weaponized mobile apps on Google Android and Apple iOS devices.
At some point the application developers are going to have to follow some sort of code ethics and responsibilities.
director of security operations,
Dozens of copycat apps, designed to mimic popular games, can give application developers access to a growing pool of victims, according to the panel of experts discussing mobile application security issues Wednesday at RSA Conference 2012. Currently, adware and spyware is a problem, where applications collect as much personally identifiable information as they can with the goal of selling the information to a third-party, said Elias Manousos, CEO of RiskIQ, a company that provides code analysis for Android and Apple application marketplaces.
“Some of these apps don’t even work; this is relevant because there are literally hundreds or even thousands of apps that do nothing,” Manousous said. “The running theory here is that they are there to drive traffic.”
Manousous said a cybercriminal who has hundreds of applications in an app store may not currently have a working exploit, but at some point they could theoretically put in an iFrame and launch a pop-up inside an app with malicious intentions. Apps installed on thousands of machines could give an attacker the foothold they need to turn them into a malware delivery mechanism, he said.
Considering, engineers behind the popular app stores are beginning to monitor them in a sandbox environment.
Ward Spangenberg, director of security operations, at San Francisco-based Zynga Inc., a company known for developing popular gaming apps including Words With Friends and FarmVille, has a team that is dedicated to weeding out copycat apps and getting them shut down as fast as possible. The team conducts its own code analysis on copycat apps and has found some coded to steal credentials or simply designed to harvest as much user data as possible.
“As consumers we are going to have to pressure these brands into giving some protection,” Spangenberg said. “At some point the application developers are going to have to follow some sort of code ethics and responsibilities... We are all shifting some of the blame around but there are responsibilities for everybody with regards to these devices.”
The panelists said the threats posed by rogue mobile applications extend to the enterprise. Some firms are already taking a cautious approach to protecting Android and Apple devices. Microsoft deliberately locks out mobile devices from obtaining sensitive corporate data, said Mike Convertino, director network security at Microsoft. Convertino said his team constantly monitors for network anomalies and ensures that mobile devices can’t cache sensitive information from corporate servers. “We are really strict,” he said. “The screens are small and some of this data doesn’t really present itself well on the phone anyway.”
Convertino said malicious applications are evolving from being junkware that collect personal data to creating a botnet out of infected devices in certain countries. The bots can be used by cybercriminals to conduct DDoS attacks at will, he said. Microsoft is taking steps to bolster its new app store with protection by incorporating both static and dynamic code analysis, he said. In addition, developers will be required to run a malware scanning program and apply the outcome of that program with the application submission, he said.
Even more cautious is Zynga, Spangenberg said, which has to not only monitor devices for malicious activities, but also track the devices so sensitive gaming development data doesn’t fall into the wrong hands. The company uses its own internal application store and has developed its own custom app to track devices and ensure they are meeting security policies. Spangenberg said he is considering using radio frequency identification technology to keep some of the most sensitive devices from leaving certain areas within the company.
“We all have the ability to put in controls and address this issue,” he said. “This isn’t our first rodeo so you should just think about the new environment.”
View all of our RSA 2012 Conference coverage.