With 17 billion smartphone apps downloaded by the end of 2011, and Android apps having been compromised earlier in the year, how alert are we to the security dangers of the smartphone app?
By the end of 2011 around 25 per cent of cellular handsets in active use in the UK will be a smartphone – up from around 18 per cent at the end of 2010. While this may not sound much of a rise, it is actually an upsurge of more than 38 per cent, and reflects a sea change that is happening in the world of cellular phones.
That trend got several boosts last year when in late May 2010, the Apple iPad tablet computer went on sale, followed in July by the iPhone 4. During the rest of the year, other cellular handset vendors – notably Nokia, Samsung, and Sony-Ericsson – released advanced smartphones running the Google Android operating system, while Research in Motion (RIM), the firm behind the business and email-friendly BlackBerry handsets, released another new wave of mobiles.
What unites all of these devices, regardless of operating system (OS), is the ability to run apps – mini-applications coded by third-party developers, as well as the mobile vendor – to complete a wide range of functions and interactions. Interactions are the key denominator. While the desktop PC runs software locally that completes most of its functions on the host PC, most apps enable a mobile device to complete the required function on an extensible basis.
'Extensible' typically means via an IP-based data stream – which, on most mobile devices, means the Internet. Take the example of a rail timetable planner – several varieties of app are available for the iPhone and iPad, as well as Android and BlackBerry OS-based devices. Instead of storing all the UK's railway timetables locally, the app acts as an intelligent 'look-up' facility, drawing the required data across an IP-based connection, and presenting it in the required format, often right down to the station platform the train will arrive or depart from.
This app-based Internet extensibility adds a whole new dimension of functionality to the iPhone, iPad, Android, BlackBerry, or Windows Mobile device, and is largely responsible for the surge of demand for these devices. However, it also adds a higher degree of security risk, as was evidenced when the Apple iPad was launched last May, and Alan Bentley, vice president of Lumension, the endpoint data security expert, noted that the iPad posed a higher degree of risk compared with standard business laptop PCs.
First, he said, the much sought-after device will be more targeted for theft, placing additional stress on businesses to ensure that they have both approved the use, and have retained some control over the data that is being stored off-network.
The second major risk Bentley claimed is that the iPad will become the target of Web browser-based vulnerabilities, as market popularity inevitably brings increased risk. Hackers are attracted to meaningful targets and the more popular the platform, the more increased chance they will be successful.
'The fact that the iPad joins the iPhone, Mac and Google Chrome to use the WebKit open-source browser, means that the browser is likely to become a more popular target for the hacker community,' believes Bentley. 'Times are changing. The consumerisation of IT continues to trend. Businesses need to implement the right policies around the use of personal technology in the workplace, if they want to avoid leaving a gaping hole in their security posture.'
Fast-forward almost 12 months to the present day, and Bentley's comments seem most prescient, as the reputation of the Android handset market took a battering in March when an unknown group of hackers took around 50 Android apps, infected them with the DroidDream malware, and then uploaded them online for handset users to download. Joji Hamada, a security researcher with Symantec, noted in March 2011 that the DroidDream malware is capable of rooting the smartphone, harvesting data, and/or opening a backdoor on the device.
Hamada reckons that between 50,000 and 200,000 downloads took place within a four-day time frame that the apps were made available. The malware, he adds, includes Android.Rootcager, an executable file that 'roots the phone without user consent to perform various activities'. The file 'DownloadProvidersManager.apk' is dropped by the malware to monitor installed applications and download additional packages of code as a background service, Hamada noted in his analysis of the malware. The malware also attempts to record IMEI and IMSI numbers, which are used to identify mobile phones, and upload the data to an external website.
As any cellular expert will attest, it is the IMEI (International Mobile Equipment Identity) and the IMSI (International Mobile Subscriber Identity) that are the serial numbers that identify the mobile to the cellular network, and allow charges to be run up against the legitimate users' account. It gets worse. The Information Security Forum (ISF) suggests that around 260,000 Android handset users were affected by the DroidDream infection.
ISF global vice president Steve Durbin argues that software developers now have a duty of care to customers, but also advises users to exercise caution when downloading anything onto their mobile devices. 'Every time an individual downloads an app, some software, or accesses a website using a mobile device, it introduces risks – risks that are often outside of the control of the individual and of the security professional,' he warns.
According to Durbin, the ISF advises that there is a need to strike a balance between end-users and the protection of the organisation and confidential data: 'For example, establishing security policies for the use of personal mobile devices and educating users about the security risks'. This has long been the case in respect to usage of standard enterprise IT systems, but it took time and expense to educate end-users to potential risks. The question is: do enterprises now face repeating the cycle as workforces march boldly forth using smartphones as their primary electronic business productivity tool?
Open-source = open invitation?
This lack of security on app-driven mobile devices – especially on the Android platform – is something that David Harley, security research fellow with ESET, the anti-virus/firewall vendor, is most concerned about. The principle problem with smartphone apps, he points out, is that they are difficult to control, because Google Android is an open-source platform – meaning that almost anyone can create and modify apps for the mobile device, which can then be offered for download on the Internet.
'Android is terrifying,' says Harley. 'Analyst Gartner is now saying that there will be 17 billion smartphone apps [not just on Android] downloaded by the end of 2011.' He adds that, as a result, it is an almost impossible task to track them. Google responded to March's DroidDream fiasco by pushing a security update to the affected users which wiped their mobiles of the offending malware. Here is the ultimate irony: that update itself was hacked and released by cyber-criminals who had infected the update with further malware.
ESET's Harley says that there is nothing very surprising about legitimate anti-malware utilities being compromised and subverted: 'Back in the mid-1990s, at the onset of the macro-virus onslaught, a respected anti-virus researcher put out a document containing protective macros' however, as some of them were execute-only, someone had the idea of putting out a very similar document, but infected it with a new macro-virus.
Consumerisation of mobile devices
So why all the fuss about apps and a lack of security on mobile devices? Are the potential threats really as bad as some alarmists claim? The answer, it seems, lies in the fact that a growing number of organisations are permitting – possible even finding themselves compelled to permit – their staff to use personal devices to access business email and other enterprise data resources.
According to research carried out late last year by Security vendor Check Point Software Technologies, 70 per cent of companies with mobile users do not use data encryption to secure their business laptops, and 87 per cent do not encrypt portable media devices (smartphones). Check Point says its research shows that, as organisations continue to grow in size, IT administrators are increasingly challenged with securing mobile data and complex IT environments, citing data loss, user management, lost or stolen equipment, and employees connecting to untrusted wireless Internet access, as top concerns. In its survey of more than 220 IT security professionals, the vendor adds that a majority of businesses were found to be potentially vulnerable to unauthorised network access from lost or stolen devices.
The company's head of western European sales Nick Lowe feels that is becoming more complex for firms looking to widen the number of devices that can log onto the network and still remain secure. Data, he explains, is becoming 'incredibly mobile', and the consumerisation of the device means that questions have to be asked – by employers – about who has assumed responsibility for the security of the device. *