RSA11: Mobile apps at risk of bypass code
- Published
The world has entered a "new frontier" of information security threats brought on by network stress and the increasing sophistication of our devices, an anti-virus vendor told a security conference.
Presenting in the keynote theatre at the RSA Conference in San Francisco, McAfee chief technology officer George Kurtz said the lack of IPv4 addresses and the rise of devices from printers to cars with their own operating systems raised concerns about the security of the network.
Kurtz raised the prospect that Apple and Google are letting malware slip through their approvals processes.
“If you download something from an app store are you assuming it is OK?" he said.
"When do Apple [or Google] have time to go over three million apps with a fine tooth comb?”
He described an experiment where an app was created that was similar to the popular flashlight app but did a lot more than what users would assume.
“There is no doubt that this will go through, if you downloaded it then it will connect to Twitter and look for hashtags to connect to our command and control centre. It can continue to post to the server, as the app regulates with the server and downloads a remote code," he said.
“We did not put this into the app store, we put the app with the code and created a command and control centre backend. The app checks in with this backend server and can steal photos off the phone. We also used it to send an SMS to the Red Cross but we are not donating, the victim is.”
He said it took a week to write and the point was to demonstrate a "world that had not been looked at".
“This is one example [of a malicious app] and we have seen it done in the past and it is something that we will continue to see,” he said.
Chris Wysopal, chief technology officer of Veracode, said that mobile app scanning was the most important trend for his company, because people can create fake websites as easily as they can create fake apps that collect credentials.
“Companies are outsourcing the development of their apps so how do they know what is in the code?" Wysopal said.
"How can you control the new way of getting data into an organisation? It is out of control, as they do not know what they are running so it is an unknown risk.
“The mobile risk is our main priority, as although we do not see a worm infecting phones, the problem is with security and that space has changed. Worms make a big noise and targeted attacks go undetected.”
This article originally appeared at scmagazineuk.com