Paulista - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Mobile data theft a risk from shared app libraries

Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted.

Researchers said shared third-party libraries used by many mobile apps could increase the risk of mobile data theft through "intra-library collusion."

The issue was detailed by Alastair Beresford, teaching fellow at Robinson College in Cambridge, England, and Vincent Taylor and Ivan Martinovic, a doctoral student and associate professor, respectively at University of Oxford, in the paper, "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."

According to the researchers, the issue has often been overlooked because mobile security "has typically examined apps and third-party libraries in isolation." However, they claim these shared libraries could cause more damage if used together for mobile data theft.

"This attack, which we call intra-library collusion, occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data," the researchers wrote. "The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device."

The team studied 30,000 smartphones and found that, because different apps are allowed different permissions, a malicious actor could combine the access granted to each app in order to build a user profile or perform mobile data theft.

Matthew Rose, ‎global director of application security strategy at Checkmarx, an application security software vendor headquartered in Israel, said there were a number of ways a shared library might be infected by a malicious actor.

"Typically third-party libraries are maintained by a group of people who maintain the code base. Since these libraries have many contributors it is sometimes difficult to have one person responsible for the entire library code base, which can potentially allow malicious code to be inserted," Rose told SearchSecurity. "There is also the question of these libraries inheriting functionality from other code bases, so there are definite tradeoffs in terms of risk versus the utilization of existing third-party libraries."

The researchers said advertising libraries could be granted additional permissions to make this kind of attack more dangerous. The researchers wrote that libraries can track users without their consent.

The research focused on Android due to "the availability of data on lists of apps installed on Android devices," but the team noted that they believe their insights would also hold true on iOS "due to similarities in access control and app deployment."

Neither Google nor Apple responded to requests for comment at the time of this post.

Mobile data theft and permission creep

Unfortunately, the researchers had no easy answers for mitigating the threat of mobile data theft from intra-library collusion. The researchers noted that one approach would be to limit the permissions granted to these libraries, but doing so might hamper the ability of developers to monetize their apps, which "could serve as a deterrent to new app developers entering the market and thus the end users may ultimately suffer from reduced content."

If the permission request is not in line with what you intend to use the app for, then do not install it or grant the permissions.
Matthew Roseglobal director of application security strategy, Checkmarx

Additionally, the team suggested that the companies running the app stores or even nation-states could enact policies or laws to detect and remove malicious third-party libraries, but each approach would be problematic. Detection would be difficult because apps can have legitimate reasons for sending data off-device, and enforcement may not scale beyond an app-by-app basis.

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said "it is very likely that a malicious library would remain undetected," but noted there are easier paths to mobile data theft.

"In order to perform this attack, a malicious individual would need to create a library that then is used by multiple applications. They would then need to convince users to download an app [or multiple apps] with many permissions," Bambenek told SearchSecurity. "In the real world, a malicious individual would just get a victim to install an application with a lot of permissions in the first place because it is more direct and easier. I wouldn't expect this to be weaponized in the short-term by criminals."

Rose said the more important issue was that "people need to be cognizant of what permissions a mobile app is asking for when they install it." 

"Does the app really need to have access to your file system, geo location, or camera? Think about what the intended usage is for the mobile app and ask yourself if it is asking for more permissions than it actually needs," Rose said. "If the permission request is not in line with what you intend to use the app for, then do not install it or grant the permissions."

Bambenek said developers also need to be careful to make sure it doesn't appear their apps are attempting mobile data theft through permissions overreach.

"Mobile developers, and developers in general for that matter, need to always focus on secure coding and, in particular, least privilege," Bambenek said. "Adopting a development model that writes code doing only what is necessary for it to do and little else would help greatly."

Next Steps

Learn how IT can tackle the top mobile security issues.

Find out about the latest enterprise mobile security technology.

Get info on why security and governance are immediate priorities for connected mobile apps

Dig Deeper on Alternative operating system security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What policies do you follow to avoid data theft through overreaching permissions?

Very timely article! I just declined yet another online IT market assignment because it required download & installation of some 3rd party apps that had unacceptable permission requirements - including possible SuperUser account access & a load on startup application.

My experience as a 5 star-rated Senior IT professional is that many users are pre-disposed to trust published apps that have lots of useful functions & colorful GUI's, even though they have overreaching permission requirements.

I suspect that either people don't actually read the app's permission requirements, or they haven't taken the time to learn what various permissions actually mean. The latter is partly due to a lack of clear, unambiguous mobile device security guidelines to endusers from the major cellular carriers & mobile device manufacturers. (Like good salespeople everywhere, they are not going to lose a lucrative sale or scare a customer by talking about the many threats to their online security & personal privacy that their shiny new mobile device is actually going to create.)

When professional IT people order other IT professionals to install apps with overreaching permissions in order to get a small 3 hour job, the seriousness of widespread mobile security illiteracy becomes absolutely crystal clear.

So let's be totally frank about this: the truth is that the IT & mobile communications industries are rolling out multiple platforms of exploitable Mobile Digital Trojan Horses into the uninformed & clueless hands of consumers all over the planet. These devices may initially arrive as innocent state-of-the-art communications appliances, but when used as directed they can invisibly morph into something more nefarious and without any obvious warning notification to the user.

It takes no imagination whatsoever to see where this process is going to eventually lead us.  

For myself, I earnestly follow some well-researched security best practices guidelines, in the vain hope that my efforts might at least reduce my attack surface by a few square electrons. (But I know, from years of study & practice, that computing devices that connect to the Internet are inherently insecure and probably unsecureable with any technology or set of policies for very long. The daily litany of successful security breaches from every conceivable sector & level of defense is proof of that assertion.)

But one can speed up the inevitable instantly by installing the wrong software app - especially one with overreaching permission requirements. This excellent article explains why.

Michael, do you happen to know if the Android PlayStore apps that facilitated the WireX DDoS Botnet were using infected 3rd party libraries and/or had elevated permission privileges? (That would sure prove the prescience of your article.) Regards, Big Al