Infosec Professional's Guide to Managing Smartphone Apps

[caption id="attachment_56548" align="aligncenter" width="800"] Smartphones make our lives easier and keep us entertained with a wonderful array of apps.[/caption] Testing AppsGiven how much information is on our phones, it's of little surprise to see the rise of malware, spyware and viruses. Even though each of the major vendors verifies uploaded apps, it's pretty easy to sneak in malicious code. For security pros, it's key to test a few Smartphone apps.Test a WallpaperFor fun, I like to to check the app stores for various companies and see what apps made it into the fold. I like to know what horrible things are being download by users. Let's take a look at an app I tested:

Wall Paper

• The description for the app I tested is "400 Hot Wallpapers!" Yeah, we can probably see where this is going...
• The application had a rating of 4.1 our of 5, with over 226 people rating it. The worst reviews just complained of popups, which is not uncommon for free apps.

App Permissions

Whoa! My network scanner app has less permissions! This app could:

• Use your location (Why does a wallpaper app need my location?)
• Use your read - front facing camera (What, what?)
• Use your microphone (My wallpaper is listening in on me now?)
• Use your contacts (I guess it's a very social wallpaper.)
• Use your media library (This is common for any media based app.)
• Use your phone (.....)
• Use the appointments in your calendar (The app has places to go.)
• Send push notifications (Probably because of the popup banners.)

Breaking this down, this free wallpaper will not only run pop up ads (causing issues of their own), but it can use my front and rear camera, listen in anytime, make calls, spam my contacts, know where I am, check my appointments, etc. This is why people worry about "Big Brother". Knowing How App Stores WorkLet's take a look at the App Stores (from a Developer's Point of View).Google: Google phones are one of the easiest ones to upload apps to. For a one-time $25 developer fee, you can upload your APK file. Google does some file checking and a decent job scanning your files, adding those notes to your application. Google, however, doesn't vet any apps.Apple: Apple is one of the tougher ones. They'll scan your app and have someone check it before uploading.Microsoft: Microsoft is pretty much like Apple. They'll do a scan on an app and have a live person check it to make sure it does what you say it will (for the most part).Truth be told, it's not very hard to sneak something past any of these vendors (though Apple seems to be a little tougher). Understanding End UsersAn average person's Smartphone significantly affects their lives. Their phones facilitate communication and carry personal numbers, work contacts, notes, emails, photos, locations, tasks, books, etc.To protect their data, they set passwords. Some even have biometrics or facial recognition to unlock their phones. They might also have a remote lock, wipe, alarm or GPS tracking for lost or stolen phones. It's equivalent to having a brick wall surrounding their house with a reinforced front door, deadbolts and a ravenous guard dog for good measure. They're locked down and secured! Except, someone left the back door open...End users may ask you, "What's the point in having a Smartphone if apps can't be installed?" I'm not saying people shouldn't install applications, but they should think about what's really being installed.On the surface, most apps look great. But, the ugly truth is that people under-examine what they're installing - reading only the description, screenshots and maybe some reviews. Often, people will leave comprehensive reviews (once you get past the usual internet troll) that breaks down the application in great detail. The problem is those people also rarely understand what they're installing.I've even seen IT professionals rushing to install the "hot" new Mario clone or sexy wallpapers without scrolling down the long, boring text that eventually explains what the app is really going to do. I can't blame people entirely for skimming. It's a bit like reading wordy disclaimers every time you install a piece of software. But, for apps, IT'S WORTH IT. Final ThoughtsAs a security pro, take the time to know the dangers of apps. Work with end users to review ANY application they install on their phones. After all it's not only their data you have to worry about, it's yours too if they have your information on their phones. 

---

More awesome content...

The Comprehensive Guide to Ethical Hacking