AH Virus Malware Piracy Skull Death Samsung logo 1.0

The State Of Non-Malicious Apps Potentially Vulnerable To Security Exploits

March 18, 2015 - Written By Justin Diaz

Mobile apps have been an increasingly larger target for malware and other exploits and attacks over the last few years, and even though app distribution stores like Google Play have gotten much better at detecting these types of malicious apps and preventing them from being installed by millions of users, there are still apps out there with vulnerabilities that can be exploited by hackers. According to AVG CTO Ben-Itzhak, many of these vulnerabilities can be found within mobile app stores even today. This is because hackers have discovered ways to exploit the vulnerabilities in apps that aren’t malicious in any way, allowing them new alternatives to gathering personal and sensitive user data without having to attempt publishing a malicious app that may end up getting detected.

Non-malicious apps can be exploited in a number of different ways, but there are three main ways to be aware of. This includes data transmission, data storage, and last but not least, third-party components. Apps continuously send data back and forth between our mobile devices and the servers that those apps are run off of. It’s in this data transmission period that hackers can potentially find a vulnerability and exploit it by either getting a hold of unencrypted data, or by exploiting the lack of certificate validation within the app when data is sent to the remote server. With data storage, no encryption is again, a very possible way for hackers to get at personal data even if it’s kept stored on the device physically. If the app data stored on the device isn’t encrypted, and another app with permissions to read that data is installed, this leaves people open to potential risk of their personal information being obtained by an unwanted party. Even uninstalling apps that would normally contain personal information may not keep the risk at bay, as applications can often times leave behind bits and pieces of files even after an uninstall. This is a potential risk if the data left behind is sensitive.

When it comes to third party components like Android WebView or the Dropbox SDK, many apps use these third-party toolkits to integrate features that are either needed or wanted by the developers for them to offer specific functions in their app. These toolkits were found to be vulnerable to attacks, (the data on these specific vulnerabilities can be found here and here respectively) which potentially leaves any applications being developed using these toolkits open and more vulnerable themselves. These risks paired together with development errors and short development windows will make it increasingly challenging to catch all possible vulnerabilities. As pointed out by AVG, risks aren’t necessarily a product of just developmental error. Awareness is a big part of being able to account for these risks and potential vulnerabilities, but as Itzhak explains most developers may not have any training in security which leaves them less equipped to handle vulnerabilities. Other issues like small development teams and a focus on getting apps out to market more quickly can also contribute to vulnerabilities slipping through the cracks, as there may not be enough people and/or enough time to find all flaws.

The silver lining is that there are things that can be done to minimize the amount of vulnerabilities to non-malicious apps. Learning specifics about security within coding and utilizing tools to “statically and dynamically” scan for any vulnerabilities are good places to start. It shouldn’t be all up to developers though, app stores like Google Play also have an opportunity to improve the situation by notifying developers in the event that a vulnerability was found within their app, and there could be timing regulations in place that developers would need to follow if there was a vulnerability with a need to be fixed, resulting in delisting the application if these timing regulations aren’t met. With improved awareness, better communication between app stores and developers and some time spent learning about vulnerabilities and secure coding, these risks can begin to become less and less frequent.