NEWS FLASH: You Can't Trust Any App


Staff member
Mar 24, 2011
"NEWS FLASH: You Can't Trust Any App"

A new vulnerability that hackers can exploit to steal passwords and even take pictures of checks for fraudulent uses has been found in the Android operating system, and it probably exists in other mobile platforms, too. Like the recently discovered USB flash memory vulnerability, this one is deeply embedded in many, many products. And neither flaw is going to be fixed any time soon. What to do? Read on...
It's a Dangerous Mobile World

In a recent article I explained why it could be dangerous to simply connect a USB flash drive to your computer. Are you ready for more bad news? No app is safe -- even ones from the most trustworthy sources. Here's why...

This new vulnerability exploits the fact that multiple apps running on one device have free and equal access to a “scratch pad” block of memory. Apps write things to this shared memory that they need to “remember” temporarily; for instance, the open/closed state of a Web browser window. Because the shared memory is accessed frequently, it’s open to all apps all the time. Any running app can use the scratch pad – and see what other apps have written there.

This isn't a software bug -- it's an integral part of the design of the Android operating system. And before you breathe a sigh of relief because you use an iPhone, iPad, or Windows mobile device, you should know that the researchers who identified this vulnerability believe it also exists in those operating systems as well.

Here's how it works: A malicious app watches what's happening in the shared memory area to anticipate the next move of a popular app, and then captures sensitive data as it whizzes by. This is similar in concept to "wifi sniffers" that monitor unsecured data streams at coffee shops where free wifi is offered. But all the action here is taking place right on your mobile device, without regard to whether or not your Internet connection is encrypted.

For example, a malicious app may note that your Web browser has a login window open. The malicious app can then anticipate that you are about to enter your username and password. The malware can be ready with a keylogger that captures your credentials. Likewise, if you open your Chase banking app and start setting up to take a photo of a check for electronic deposit, a malware app can detect your preparations and be ready to capture a copy of the check image.

Is Your Favorite App Vulnerable?
The researchers created a malware app that successfully captured Gmail login credentials on 92% of its attempts. Many other popular apps from name-brand companies like H&R Block and Amazon were also hacked; Amazon had the “best” performance, being hackable on only 48% of attempts; so the “best” is not very good at all.

All reports of this vulnerability include the same old advice to users: “Don’t install untrusted apps, or apps from untrusted sources.” That glib warning begs the question, “How can you trust any app source?”

The major app stores such as Google Play, Apple Store, etc., cannot be relied upon to keep out all the malware that developers upload. It’s a constant game of Whack-A-Mole: malware is uploaded; users download it; users complain about it; app store deletes it. in some cases, automated tools can detect and remove malicious apps, but that's still a developing technology, with an "arms race" similar to what happens in the desktop antivirus industry.

But during its brief life in an app store, a malicious app may be downloaded by tens of thousands of unsuspecting users. “Avoid sketchy apps,” the sages say, and they vaguely warn against apps that offer wallpaper or background images. More helpful advice would be to avoid apps that are newly released, those that have only a few reviews, and ones with less than a million downloads. But that advice is likely to be heeded by only the savviest and most security conscious users.

“Look for digitally signed apps” is another piece of impractical advice. A digital signature supposedly guarantees that a program has not been altered since its author “signed” it. In theory, there should be no malware hidden in there unless the author put it there. The digital template from which digital signatures are derived is registered with a “certificate agency” that verifies a signature’s integrity and origin each time a program is opened or installed. If the signature is not what it should be, the program has been altered and the user should beware.

Unfortunately, certificate agencies charge money, and developers don’t want to spend it. An app may be launched with a digital signature, but even that doesn't guarantee it's safe. According to one security firm I spoke with, some malware developers are starting to digitally sign their wares.

There are steps that app developers and operating system designers can take to solve or minimize this problem. One obvious idea that comes to mind is to encrypt data before writing to the shared memory area. Or add protections at the system level that prevent apps from seeing what other apps are doing. I can also envision an anti-malware tool that looks at the behavior of other apps, specifically those that are constantly sniffing around in the shared memory area. But those things are not likely to happen soon.

Don't misunderstand what I'm saying here. There's no insinuation that the Gmail, Chase Bank, H&R Block, or Amazon apps are insecure or untrustworthy. Neither am I saying that there's an unpatched security hole in the Android or iOS operating systems. What I am saying is that the design of those systems makes it possible for a bad app to steal data from good apps. Such apps may already exist, so awareness is the key.


Senior Member
Dec 27, 2011
We have an Amazon app of the day, soon a vulnerability of the day.;)

As Sarge used to say on Hill Street Blues, Be careful out there.