Infosec Professional’s Guide to Managing Smartphone Apps

January 20, 2016 | Views: 6525

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Smartphones make our lives easier and keep us entertained with a wonderful array of apps.

 

Testing Apps

Given how much information is on our phones, it’s of little surprise to see the rise of malware, spyware and viruses. Even though each of the major vendors verifies uploaded apps, it’s pretty easy to sneak in malicious code. For security pros, it’s key to test a few Smartphone apps.

Test a Wallpaper

For fun, I like to to check the app stores for various companies and see what apps made it into the fold. I like to know what horrible things are being download by users. Let’s take a look at an app I tested:

Wall Paper

  • The description for the app I tested is “400 Hot Wallpapers!” Yeah, we can probably see where this is going…
  • The application had a rating of 4.1 our of 5, with over 226 people rating it. The worst reviews just complained of popups, which is not uncommon for free apps.

App Permissions

Whoa! My network scanner app has less permissions! This app could:

  • Use your location (Why does a wallpaper app need my location?)
  • Use your read – front facing camera (What, what?)
  • Use your microphone (My wallpaper is listening in on me now?)
  • Use your contacts (I guess it’s a very social wallpaper.)
  • Use your media library (This is common for any media based app.)
  • Use your phone (…..)
  • Use the appointments in your calendar (The app has places to go.)
  • Send push notifications (Probably because of the popup banners.)

Breaking this down, this free wallpaper will not only run pop up ads (causing issues of their own), but it can use my front and rear camera, listen in anytime, make calls, spam my contacts, know where I am, check my appointments, etc. This is why people worry about “Big Brother”.

 

Knowing How App Stores Work

Let’s take a look at the App Stores (from a Developer’s Point of View).

Google: Google phones are one of the easiest ones to upload apps to. For a one-time $25 developer fee, you can upload your APK file. Google does some file checking and a decent job scanning your files, adding those notes to your application. Google, however, doesn’t vet any apps.

Apple: Apple is one of the tougher ones. They’ll scan your app and have someone check it before uploading.

Microsoft: Microsoft is pretty much like Apple. They’ll do a scan on an app and have a live person check it to make sure it does what you say it will (for the most part).

Truth be told, it’s not very hard to sneak something past any of these vendors (though Apple seems to be a little tougher).

 

Understanding End Users

An average person’s Smartphone significantly affects their lives. Their phones facilitate communication and carry personal numbers, work contacts, notes, emails, photos, locations, tasks, books, etc.

To protect their data, they set passwords. Some even have biometrics or facial recognition to unlock their phones. They might also have a remote lock, wipe, alarm or GPS tracking for lost or stolen phones. It’s equivalent to having a brick wall surrounding their house with a reinforced front door, deadbolts and a ravenous guard dog for good measure. They’re locked down and secured! Except, someone left the back door open…

End users may ask you, “What’s the point in having a Smartphone if apps can’t be installed?” I’m not saying people shouldn’t install applications, but they should think about what’s really being installed.

On the surface, most apps look great. But, the ugly truth is that people under-examine what they’re installing – reading only the description, screenshots and maybe some reviews. Often, people will leave comprehensive reviews (once you get past the usual internet troll) that breaks down the application in great detail. The problem is those people also rarely understand what they’re installing.

I’ve even seen IT professionals rushing to install the “hot” new Mario clone or sexy wallpapers without scrolling down the long, boring text that eventually explains what the app is really going to do. I can’t blame people entirely for skimming. It’s a bit like reading wordy disclaimers every time you install a piece of software. But, for apps, IT’S WORTH IT.

 

Final Thoughts

As a security pro, take the time to know the dangers of apps. Work with end users to review ANY application they install on their phones. After all it’s not only their data you have to worry about, it’s yours too if they have your information on their phones.

 


More awesome content…

The Comprehensive Guide to Ethical Hacking

 

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
36 Comments
  1. lmao at the second screenshot…. use an anonymous microsoft account… That would set the shit off of my red flags.. then for a freaking wallpaper app? yeah, not needed, obvious malware…

    for me, Im a big jailbreaker/rooter, VERY BIG… cannot have a phone without doing such otherwise its just useless… I don’t install an app unless its absolutely needed, (with the exception of temple run and monopoly respectively on my iphone and ipad…:) ) Its to the point that I dont even allow most apps to use cellular data nor do I allow just any app to background refresh. I also do a normal cleanup of log and cache files stored on the phone from both the browser and the apps, then each app is locked with a code to help prevent redirects to the appstore. I also have a script for this, but I don’t like installing to many tweaks because they tend to eat performance after a having a couple of them installed. I also see the firefox browser doesnt allow an automatic redirect which is freaking awesome.

    I have a tweak to limit cookies stored on the phone too… I have np remembering my passwords.

    Also I do not use social media apps on the phone whatsoever… They collect more than needed to know through the browser by itself… FB recommended ppl that i would have never thought to look for and have no digital linkage to which is creepy to me so I just deactivated it altogether (also because of their real name policy).

    On top of this, I actually do read this no just for apps, but for website registration or certain registrations in apps to beyond installation that requires access to certain profile information.. On android phones though you can actually modify some of the access for some apps initially or through the settings after its installed if i’m not mistaken…

    Anyway I just feel that as a tech unfortunately, we cant enjoy the same spoils as others because we are pretty aware of what can happen through an app, an email or a webpage. We don’t have the same “ignorance” as i like to call it… This should be something that we should know by default, because a phone can only be protected to a certain point, and the easiest way to hack a person is through their cellphone…

  2. Good advice! We all have to be on our guards. Lazines and small mistakes can cost in life. Thanks!

  3. true, with android apps i always look for the one app in the catagory with less permissions that need to be envolved with runing the at a basic level.

  4. Thanks! We all need to know more about mobile.. and how to assess the security of an app.

  5. The author makes a great point about who reads the restrictions. The same problem applies to all of the “I Accept ” clauses for computers. Who bothers to read the stuff and the privacy that they give away.

Page 2 of 6«12345»...Last »
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel