When using a BlackBerry, Android, iPhone or other smartphone, we tend to assume all the nifty Web apps on these devices are relativelysecure. At the least, we expect that a lot of the painful security lessons wereceived on PCs a decade ago have been applied to today’s phone apps.
But when Intrepidus Group researchers Zach Lanier and MikeZusman started taking mobile phone apps apart to see what makes them tick, theydiscovered that our assumptions have been wrong. At the SecTor 2010 conferenceWednesday, they walked their audience through some of the more glaring examplesof old-school flaws they uncovered in many Web apps for mobile phones.
The problems that need fixing are on the developer side, Lanier said. In therush to satisfy smart phone users hungry for new apps, the same mistakes thatwere made around 1999-2000 in the PC world are being repeated. After looking atthe more popular phones like Android and BlackBerry, the two discovered, amongother things, that:
– Intercepting one’s credentials on an app like Foursquareis pretty easy.
– Storage apps — popular among those who like to store andeasily retrieve music and video on their phones — contain security holes anattacker could exploit to cause a denial of service or bypass digital rightsmanagement controls.
– Carrier-based apps tend to trust you just because youhappen to be on the carrier network.
– Third-party apps are sometimes better than carrier-basedapps in this regard, but there’s still incomplete support for open standards.
– Man-in-the-middle attacks are fairly trivial across theboard.
– It’s trivial for a bad guy to replay a user’s pictureupload requests via a third-party upload app for BlackBerry and send their own,potentially malicious files to random accounts. Zusman said injection flaws inthe picture upload feature abound and that it was fairly simple to inject theirown XML attribute.
Lanier and Zusman concluded that in the mobile phone Web appworld there’s a lack of guidance, standards and best practices for developers.
“We learned about many of these weaknesses 10 yearsago,” Lanier said. “We’re forgetting the lessons we alreadylearned.”
By exposing these old-school problems, the researchers hopeto shake the developer community into a state of vigilance.
Over the course of their research, the duo relied on suchtechniques as white box source code review, black box code review that includedacquiring the Web app binaries, and lots of reverse engineering, disassemblyand decompilation, and network-protocol analysis.