Researchers said shared third-party libraries used by many mobile apps could increase the risk of mobile data theft...
through "intra-library collusion."
The issue was detailed by Alastair Beresford, teaching fellow at Robinson College in Cambridge, England, and Vincent Taylor and Ivan Martinovic, a doctoral student and associate professor, respectively at University of Oxford, in the paper, "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."
According to the researchers, the issue has often been overlooked because mobile security "has typically examined apps and third-party libraries in isolation." However, they claim these shared libraries could cause more damage if used together for mobile data theft.
"This attack, which we call intra-library collusion, occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data," the researchers wrote. "The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device."
The team studied 30,000 smartphones and found that, because different apps are allowed different permissions, a malicious actor could combine the access granted to each app in order to build a user profile or perform mobile data theft.
Matthew Rose, global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.
"Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base, which can potentially allow malicious code to be inserted," Rose told SearchSecurity. "There is also the question of these libraries inheriting functionality from other code bases, so there are definite tradeoffs in terms of risk versus the utilization of existing third-party libraries."
The researchers said advertising libraries could be granted additional permissions to make this kind of attack more dangerous. The researchers wrote that libraries can track users without their consent.
The research focused on Android due to "the availability of data on lists of apps installed on Android devices," but the team noted that they believe their insights would also hold true on iOS "due to similarities in access control and app deployment."
Neither Google nor Apple responded to requests for comment at the time of this post.
Mobile data theft and permission creep
Unfortunately, the researchers had no easy answers for mitigating the threat of mobile data theft from intra-library collusion. The researchers noted that one approach would be to limit the permissions granted to these libraries, but doing so might hamper the ability of developers to monetize their apps, which "could serve as a deterrent to new app developers entering the market and thus the end users may ultimately suffer from reduced content."
Matthew Roseglobal director of application security strategy, Checkmarx
Additionally, the team suggested that the companies running the app stores or even nation-states could enact policies or laws to detect and remove malicious third-party libraries, but each approach would be problematic. Detection would be difficult because apps can have legitimate reasons for sending data off-device, and enforcement may not scale beyond an app-by-app basis.
John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said "it is very likely that a malicious library would remain undetected," but noted there are easier paths to mobile data theft.
"In order to perform this attack, a malicious individual would need to create a library that then is used by multiple applications. They would then need to convince users to download an app [or multiple apps] with many permissions," Bambenek told SearchSecurity. "In the real world, a malicious individual would just get a victim to install an application with a lot of permissions in the first place because it is more direct and easier. I wouldn't expect this to be weaponized in the short-term by criminals."
Rose said the more important issue was that "people need to be cognizant of what permissions a mobile app is asking for when they install it."
"Does the app really need to have access to your file system, geo location, or camera? Think about what the intended usage is for the mobile app and ask yourself if it is asking for more permissions than it actually needs," Rose said. "If the permission request is not in line with what you intend to use the app for, then do not install it or grant the permissions."
Bambenek said developers also need to be careful to make sure it doesn't appear their apps are attempting mobile data theft through permissions overreach.
"Mobile developers, and developers in general for that matter, need to always focus on secure coding and, in particular, least privilege," Bambenek said. "Adopting a development model that writes code doing only what is necessary for it to do and little else would help greatly."
Learn how IT can tackle the top mobile security issues.
Find out about the latest enterprise mobile security technology.
Get info on why security and governance are immediate priorities for connected mobile apps.