SPOTLIGHT ON SECURITY

Security Firms Scour Mobile Apps

Security pros weren’t very kind to mobile applications last week. A number of firms knocked apps produced for the smartphone market for all kinds of risky behaviors that could lead to trouble not only for mobile device owners, but also for their employers.

While Android has been a poster child for misbehaving apps in the past, competitor Apple’s apps aren’t as pristine as is commonly believed, suggests a report from Appthority.

Ninety-one percent of the top 400 free and paid iOS apps exhibited risky behaviors, compared to 83 percent of the top 400 paid and free Android apps, according to its Winter 2014 App Reputation Report.

“I think a lot of folks have a false sense of security because they focus on malware and that usually means Android,” said Domingo Guerra, president and cofounder of Appthority.

“But what we’ve seen is that security includes privacy, data loss and vulnerabilities,” he told TechNewsWorld. “From that perspective, iOS and Android are comparable in terms of risk.”

Risky Business

Ninety-five percent of the top 200 free iOS and Android apps exhibited as least one risky behavior, and 80 percent of the 200 top paid apps for the platforms exhibited at least one risky behavior, the report also notes.

Risky behaviors in the apps studied by Appthority include location tracking, sharing data with advertising networks or analytics companies, accessing and sharing a user’s contact list or address book, and accessing a user’s calendar.

Other behaviors considered risky by Appthority are in-app purchasing, identifying users through unique identfiers, and support for single sign-on through a social networking site.

Many developers allow risky behaviors in their apps in order to remain in business.

“They’re stuck in a difficult position because of how difficult it is to monetize their apps,” Guerra said.

“In general, folks are not paying for applications. They’d rather download the apps for free or pay 99 (US) cents. Neither free nor 99 cents is enough, especially when they have to continue to provide content and updates and support,” he explained.

“What that means is that developers have to collect information from their users and sell it to advertising firms,” added Guerra.

More Bad News

Privacy violations and excessive data gathering continue to plague mobile apps, according to Cenzic.

Those kinds of misbehaviors appear in more than 80 percent of all mobile applications, notes its 2014 trends report, released last week.

Meanwhile, malicious apps in Google Play are outpacing Google’s efforts to remove them. Malicious apps grew 388 percent from 2011 to 2013, while the number of malicious apps removed annually by Google dropped from 60 percent in 2011 to 23 percent in 2013, indicates recent research from RiskIQ.

Even old Android vulnerabilities continue to hang around long after they’ve been exposed to the light of day, as Rapid7 pointed out in a blog posting by Tod Beardsley.

Seventy percent of Android devices are still vulnerable to Metasploit, which was publicized in December 2012 and patched a year ago in Android 4.2.2, he noted.

Metasploit can be used to take control of an Android device’s cameras, GPS info, SD cards and address books; one researcher even compromised Google Glass with it.

S&P Flops on Security

When it comes to stock performance, the companies in the S&P 500 have been on a tear. When it comes to security, not so much.

At any given time in 2013, between 63 and 82 percent of S&P 500 companies were compromised by an externally observable event — accessing a black website, for instance — found a recent report from BitSight.

What’s more, only 18 percent of the companies had strong SSL certificates — the rest sent info on the Net without proper encryption. In addition, only 24 percent of the businesses had strong SPF records, a technology that can block spoofing of email addresses.

“It’s surprising to see so few of these companies immune from attack,” Stephen Boyer, CTO and cofounder of BitSight, told TechNewsWorld.

BitSight used sensors located around the world to gather its information on the S&P 500 companies. That has its limitations.

“We don’t see everything, so we’re actually probably seeing the floor rather than the ceiling of the problem,” Boyer observed.

More Than Meets the Eye

Years ago, hackers thought it was a good idea to hide malicious code in images through a practice called “steganography.” After some success, their targets began to catch on to what was going on because hiding malware programs in images drastically increased the image’s size. The practice is being revived, though, in a new variant of the Zeus banking Trojan, ZeusVM.

Unlike steganographers of old, the author of ZeusVM is hiding just a small amount of code in images.

“It’s a way for the malware’s configuration file to be delivered to infected devices,” said Etay Maor, senior product marketing manager for Trusteer.

“It lowers the possibility of being identified,” he told TechNewsWorld, “because it is using image files that aren’t usually associated with malware files, and so it may not be scanned by some security software for malware.”

Zeus configuration files typically contain a list of banks targeted for attack.

The image files also can be handy for camouflaging infected servers on the Net. Those servers often are identified by scans that see malware-related files on them. “If they see an image, they won’t look at it as something hostile,” Maor said.

Breach Diary

  • Feb. 15. Kickstarter reveals data breach that allowed hackers to access some of its customers’ data. No credit card card information was compromised and only two accounts showed evidence of unauthorized activity, the company said.
  • Feb. 17. Tesco, the UK’s largest retailer, suspended more than 2,000 accounts after their owners’ email addresses and passwords were posted to the Internet by hackers. The data reportedly was gathered from third-party websites and exploited the habit of users to use the same password at multiple websites.
  • Feb. 18. Consumer Bankers Association and Credit Union National Association estimate financial institutions have spent to date US$200 million to replace payment cards following Target security breach. The groups predict that figure will continue to climb. Fraud losses are excluded from their calculations.
  • Feb. 18. The Intercept reports top-secret documents leaked by Edward Snowden reveal that the NSA and the UK’s GCHQ targeted activist groups and WikiLeaks with tactics ranging from covert surveillance to prosecution.
  • Feb. 18. A resident of Maryland represented by the Electronic Frontier Foundation files lawsuit against the government of Ethiopia for infecting his computer with spyware, wiretapping his Skype calls, and monitoring his family’s use of his computer for a period of months. The man is seeking damages from Ethiopia under the U.S. Wiretap Act and Maryland’s privacy statutes.
  • Feb. 18. Personal information — including names, nationalities, location date and boat arrival information — of nearly 10,000 people seeking political asylum in Australia was accidentally posted to the Internet for public view by that nation’s Department of Immigration and Border Protection.
  • Feb. 18. University of Maryland discovers data breach that compromised personal information — including names, birth dates, Social Security numbers and student ID numbers — of more than 300,000 faculty, staff and students dating back to 1998.
  • Feb. 19. Adallom Labs identifies variant of Zeus Trojan that steals a user’s Salesforce.com sessions. The malware allows an attacker to bypass traditional security protections and exfiltrate company data from Salesforce.
  • Feb. 19. IS Decisions releases survey with findings that 35 percent of U.S. and UK organizations with more than 10,000 employees have suffered an internal security breach in the past 12 months. It also reveals that 12 percent of IT pros are more aware of insider threats because of whistleblower Edward Snowden’s actions, and that 19 percent of the employees in the organizations participating in the tally share passwords.
  • Feb. 20. World Privacy Forum posts to its website an interactive map of medical data breaches in the United States from 2009-2012.
  • Feb. 20. A Star Tribune poll finds 82 percent of Minnesotans are shopping at Target as often as they did before the data breach that compromised personal data and payment card information of more than 110 million of the Minnesoata-based retailer’s customers.

Upcoming Security Events

  • Feb. 23-24. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco. Free.
  • Feb. 24-28. RSA Conference USA. Moscone Center, San Francisco. Full Conference Pass: $2,595; Academic, $695; one day, $995.
  • Feb. 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Feb. 27. TrustyCon. 9:30 a.m.-5 p.m. PT. AMC Metreon, 135 4th St #3000, Theater 15, San Francisco. Sponsored by iSEC Partners, Electronic Frontier Foundation (EFF) and DEF CON. $50 plus $3.74 fee.
  • Feb. 27. Suits and Spooks security Town Hall. 7-10 p.m. PT. Ritz Carlton, San Francisco. Ticket: $104.
  • March 3-8. Cyber Guardian 2014. Sheraton Inner Harbor hotel, Baltimore, Md. Sponsored by SANS. Courses range from $4,895-$5,095.
  • March 4-5. 3rd Annual Oil & Gas Security 2014 Summit. Sofitel Dubai Jumeirah Beach Hotel, Dubai. Registration: Pounds 1,645 plus VAT.
  • March 5-10. DFIRCON 2014. Monterey Marriott, Monterey, Calif. Sponsored by SANS. Courses range from $4,845-$5,095.
  • March 12-23. ICS Security Summit. Contemporary Hotel, Lake Buena Vista, Fla. Sponsored by SANS. Cources range from $1,700-$4,595.
  • March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
  • March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
  • April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
  • April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and
  • Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: thru June 2, $1,795; thru July 26, $2,195; after July 26, $2,595.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: thru Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • I work at a mobile app development company, AB Mobile Apps, and we build custom apps for clients. Our plan is we build apps with a larger upfront purchase cost to the client so we will not have to sell data to advertisers, and our clients get the rights to the app. It works better than having to worry about building an app and then cover the cost through other means.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels