The old adage that less is more is true when it comes to mobile devices: The less you have on them the more secure you are.
That’s why it’s important for any security awareness program to not just warn employees of the dangers of downloading applications from sources other than the Google or Apple app stores, which try hard to ensure — with varying degrees of success — apps don’t come with malware.
However, the stores can’t ensure the apps are safely coded. That’s just as important, as a recently published University of Michigan study into poorly-designed Android apps that leave ports open shows. Open ports are a known problem on enterprise networks, which is why administrators make every effort to close them. But employees can add anything to their mobile devices and then connect to the network, leading to potential serious enterprise security problems.
More importantly, however, the study illustrates how app developers still haven’t learned how to safely code their creations.
To find out how many apps in the Google Play store have this vulnerability university researchers created a scanning tool which analyzed over 100,000 Android apps and found 410 vulnerable ones, with a total of 956 potential exploits. Some of these apps had 10 to 50 million downloads on the official market; one is pre-installed on some devices.
To get an idea of how many of these apps might be nearby, researchers did a port scan on the UMichigan campus network and within two minutes found a number of mobile devices which were potentially using vulnerable apps.
“These vulnerabilities can be exploited to cause highly-severe damage such as remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution,” say the authors.
The bugs were reported to app developers, some of whom acknowledged the report and therefore presumably are fixing their code.
The researchers created several videos showing how an attack might work. This example uses the app WiFi File Transfer. The app doesn’t open port by default — users need to toggle a button to start the service, which admittedly will largely reducing the attack window. However, the researchers note, the on-device malware can spy on the port status by monitoring the proc file, and send exploitation traffic as soon as user opens the port. User’s photos on the SD card are then silently stolen by the app that doesn’t have READ_EXTERNAL_STORAGE permission and uploaded to the attacker server. This attack generally applies to many vulnerable open port apps identified and described in the research paper.
Other videos done by the researchers showing potential exploits can be found here.
The Hacker News notes there are some limitations to a possible exploit. “A port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws. Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.”
Still, infosec pros need to do two things: In an enterprise they must impress upon employees how important it is to have as few as possible apps on a mobile device that will connect to the organization’s network. And those in software development shops have to redouble their efforts to ensure coders are following best practices.