It’s no secret is that the smartphone is the modern man’s best friend. Over 7 billion mobile devices are being used today all around the world and they are multiplying 5 times faster than human beings. With the astronomical amounts of private information being transferred worldwide, the need for strong mobile security has become paramount. Unfortunately, the news about new vulnerabilities and high-profile breaches are raining down on us.
More and more daily functions are being performed via smartphones and tablets, with the majority of them running on the Android and the iOS platforms. Just for example, PayPal mobile transactions crossed the 46 million US dollar mark in 2014. This has made cybercrime a lucrative industry, with hackers constantly seeking new ways to exploit application-layer vulnerabilities in mobile apps.
Faulty mobile application development processes and porous application code is enabling researchers churn out POCs of severe nature. This article will cover just a few of them from recent weeks.
All You Wanted To Know About the Samsung SwiftKey Vulnerability
The SwiftKey app comes pre-installed on all Samsung devices. Over 600 million Samsung users have this vulnerable keyboard software that also can’t be uninstalled. These include all the bleeding edge specced Samsung flagships – Galaxy S4, Galaxy S5 and the recently released Galaxy S6 / S6 Edge. The Proof of Concept (POC), published by Ryan Welton, clearly shows how the flaw is exploited.
The vulnerable Samsung device and the hacker’s malicious WiFi connection (hotspot) are a potent recipe for disaster. The hacker simply can manipulate the SwiftKey mechanism and execute a malicious payload as a privileged system user. Another important thing to note is that this vulnerability can be exploited even when the SwiftKey app is not selected as the default choice on the device.
SwiftKey is signed with the device’s private key and runs with the most privileged contexts available – the System User. This is the closest possible permission the hacker can get besides Root Access. The vulnerability is automatically activated after a reboot or when the application is updated. The hacker basically tricks the application into executing the malicious payload (remote code injection).
The hacker can then perform the following malicious actions:
- Accessing of the geo-tagging (GPS) functionality of the device.
- Installing of additional apps without the victim’s knowledge/permission.
- Manipulating the settings in previously installed apps on the phone.
- Harvesting incoming/outgoing messages and listening to voice calls.
- Gaining access to private data like contact lists and photo galleries.
Samsung has officially acknowledged the vulnerability and has promised a security patch in the near future. But mitigation is going to be a long process due to unavailability of the proprietary KNOX security tool on all Samsung devices and the varying patch-release policies of the different mobile carriers. Needless to say, users with rooted phones and custom ROMs will stay exposed.
Mobile Security on the Apple iPhone is Also Shaky At Best
Application-layer vulnerabilities are not exclusive to Android. Apple’s iOS is also being hacked, tricked and manipulated on a constant basis. Here are a few examples from recent weeks:
The Mysterious Texting Bug – A malicious text message consisting of non-Latin characters in Arabic and Chinese can simply cause the collapse of the CoreText system within the Apple device (iPhones, iPads and even iWatches). As demonstrated in the video below, once the victim tries to reply to the malicious message via Siri on his iWatch, the device simply freezes, crashes and switches off by itself.
Apple initially didn’t respond to the findings, but once the news went viral it issues a brief acknowledgement statement and promised a security patch in its upcoming update.
Zero-Day Flaws – A group of six university students recently released a research paper called Unauthorized Cross-App Resource Access on Mac OS X and iOS, exposing numerous issues on Apple’s platforms.
The researchers managed to sneek through Apple’s strict App Store security filtering process and made their malicious software expose a wide range of vulnerabilities in their mobile and web platforms. The most shocking issue was their ability to crack the keychain service, used to store passwords, login details and other Apple Application credentials.
There were also many weaknesses detected in the inter-app communication mechanisms between the mobile iOS and the web OS X platforms that enabled the harvesting of sensitive information from widely used applications such as Evernote and Facebook. A sandboxed app was used to exploit banking information Chrome on the new OS X 10.10.3.
The Endless Reboot Cycle – Another worrying finding was made by Adi Sharabani and Yair Amit from the security company Skycure. Their research paper “No iOS Zone“, which was presented at the recent RSA 2015, showed how malicious WiFi hotspots could cause iPhones to enter an endless reboot cycle. Apple has still not responded to the findings.
Mobile Security Is All About Bolstering The Foundation – The Application Code
Unfortunately, there is not much that can be done from the user-side to eradicate these issues. Using official ROMs and applying updates, while avoiding Jailbreaking and Rooting, is obviously a must. But even these preventative measures, along with the use of secure WiFi hotspots, cannot mask application layer vulnerabilities that eventually lead to hacking opportunities.
There is simply no substitute for secure application development, which bolsters the code integrity and reduces the opportunities for the malicious attackers to exploit.
The OWASP Mobile Top 10 is a widely acknowledged vulnerability list that should be adopted as a benchmark by all organizations developing applications for mobile. This list is created and updated by leading InfoSec experts from all around the world who have hands-on experience in dealing with such threats. SANS 25 is another popular reference list.
Organizations must have appropriate security solutions that can be integrated into the Software Development Life Cycle (SDLC), enabling the detection and fixing of vulnerabilities as early as possible. Traditional security techniques such as Dynamic Application Security testing (DAST) and Pen Testing don’t enable this key requirement.
This is where Static Application Security Testing (SAST) methods such as Static Code Analysis (SCA) can provide an out-of-the-box solution to make sure that the following things happen:
- Testing of 3rd party tools (i.e – keyboards) prior to integration into the application.
- Data leakage checks to ensure PCI-DSS compliance in apps involving financial transactions (banking, betting, etc).
- Ensuring of proper cryptography and key management (usage of strong algorithms).
- Pointing at cache’s that should be removed, especially in sensitive apps.
- Making sure log outputs are disabled and that sensitive data is not displayed on the multitasking screen.
Special attention should also be paid to the monitoring of cross application functionality, which is something that must be addressed by manufacturers while they are developing official ROMs for their devices. This is best achieved when the security goes hand-in-hand with development, which ideally means automation of the process (secure SDLC/sSDLC).
Mobile application security is one of the biggest challenges of the modern era. Only robust application code can help organizations provide the users with the security they deserve.