SAN FRANCISCO -- A panel of mobile security experts painted a bleak picture of the state of mobileapplication security, warning IT security professionals that the potential exists for theemergence of weaponizedmobile apps on Google Android and Apple iOS devices.
At some point the application developers are going to have tofollow some sort of code ethics and responsibilities.Ward Spangenberg,
director of security operations,
Zynga Inc.
Dozens of copycatapps, designed to mimic popular games, can give application developers access to a growing poolof victims, according to the panel of experts discussing mobileapplication security issues Wednesday at RSAConference 2012. Currently, adware and spyware is a problem, where applications collect as muchpersonally identifiable information as they can with the goal of selling the information to athird-party, said Elias Manousos, CEO of RiskIQ, a company that provides code analysis for Androidand Apple application marketplaces.
Some of these apps dont even work; this is relevant because there are literally hundreds oreven thousands of apps that do nothing, Manousous said. The running theory here is that they arethere to drive traffic.
Manousous said a cybercriminal who has hundreds of applications in an app store may notcurrently have a working exploit, but at some point they could theoretically put in an iFrame andlaunch a pop-up inside an app with malicious intentions. Apps installed on thousands ofmachines could give an attacker the foothold they need to turn them into a malware deliverymechanism, he said.
Considering, engineers behind the popular app stores are beginning to monitor them in a sandbox environment.
Ward Spangenberg, director of security operations, at San Francisco-based Zynga Inc., a companyknown for developing popular gaming apps including Words With Friends and FarmVille, has a teamthat is dedicated to weeding out copycat apps and getting them shut down as fast as possible. Theteam conducts its own code analysis on copycat apps and has found some coded to steal credentialsor simply designed to harvest as much user data as possible.
As consumers we are going to have to pressure these brands into giving some protection,Spangenberg said. At some point the application developers are going to have to follow some sortof code ethics and responsibilities... We are all shifting some of the blame around but there areresponsibilities for everybody with regards to these devices.
The panelists said the threats posed by rogue mobile applications extend to the enterprise. Somefirms are already taking a cautious approach to protecting Android and Apple devices. Microsoftdeliberately locks out mobile devices from obtaining sensitive corporate data, said MikeConvertino, director network security at Microsoft. Convertino said his team constantly monitorsfor network anomalies and ensures that mobile devices cant cache sensitive information fromcorporate servers. We are really strict, he said. The screens are small and some of this datadoesnt really present itself well on the phone anyway.
Convertino said malicious applications are evolving from being junkware that collect personaldata to creating a botnet out of infected devices in certain countries. The bots can be used bycybercriminals to conduct DDoSattacks at will, he said. Microsoft is taking steps to bolster its new app store withprotection by incorporating both static and dynamic code analysis, he said. In addition, developerswill be required to run a malware scanning program and apply the outcome of that program with theapplication submission, he said.
Even more cautious is Zynga, Spangenberg said, which has to not only monitor devices formalicious activities, but also track the devices so sensitive gaming development data doesnt fallinto the wrong hands. The company uses its own internal application store and has developed its owncustom app to track devices and ensure they are meeting security policies. Spangenberg said he isconsidering using radio frequency identification technology to keep some of the most sensitivedevices from leaving certain areas within the company.
We all have the ability to put in controls and address this issue, he said. This isnt ourfirst rodeo so you should just think about the new environment.
Follow @rwestervelt
View all of our RSA2012 Conference coverage.
0 comments:
Post a Comment