Dark Side Arises for Phone Apps
Security Concerns Prompt Warnings
By SPENCER E. ANTE
As smartphones and the applications that run on them take off, businesses and consumers are beginning to confront a budding dark side of the wireless Web.
Online stores run by Apple Inc., Google Inc. and others now offer more than 250,000 applications such as games and financial tools. The apps have been a key selling point for devices like Apple’s iPhone. But concerns are growing among security researchers and government officials that efforts to keep out malicious software aren’t keeping up with the apps craze.
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.
Unlike Apple or BlackBerry maker Research In Motion Ltd., Google doesn’t have employees dedicated to vetting applications submitted to its Android store. Google said it removes apps that violate its policies, but largely relies on users to alert it to bad software. “We check reactively,” said a Google spokesman. “There is no manual bottleneck.”
As more companies, governments and consumers use wireless gadgets to conduct commerce and share private information, computer bad guys are beginning to target them, according to government officials and security researchers.
“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”
The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.
The vulnerability of mobile computing is also a concern for the U.S. Air Force, which worries about theft of military information or the use of personal details to scam or extort airmen and women.
In March, the Air Force barred users of all service-issued BlackBerrys from downloading apps. Research In Motion said its technology allows customers to enforce such group-wide security measures.
The move followed a sharp rise in questionable activity aimed at Air Force smartphones, including attacks that tried to exploit mobile Web browsers, said a military official who helps oversee the defense of the Air Force’s networks.
About a year ago, the Air Force saw fewer than a dozen attacks targeting its phones each month. In May, the Air Force saw more than 500, the official said, though none of the probes was successful.
“We all see this tipping point coming,” said Peter Tippett, who oversees an investigative-response team that studies computer crime at Verizon Business, a unit of Verizon Communications Inc. that serves corporations. “There is a lot of activity to figure out how to make it less likely that a financial transaction would be exploited” on a mobile phone, he said.
The financial services industry says it is working with app-store operators to ensure mobile-banking apps are authentic. “Customers should be able to know who they are dealing with,” said Leigh Williams, president of BITS, an arm of the Financial Services Roundtable, a banking industry advocacy group
Some security experts believe Google’s Android Market is more vulnerable than other app stores since Google doesn’t examine all apps before they are available for users to download.
A Google spokesman said the company has put in place security measures, such as remotely disabling apps found to be malicious and requiring developers to register with its Checkout payment service, and argued there’s no evidence for claims that its store poses a greater risk than others.
Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
“Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful,” wrote software engineer Nicolas Seriot in a research paper detailing iPhone security holes that he presented at a computer security conference in February.
Apple CEO Steve Jobs, speaking at the All Things D conference this week, said his company’s employees carefully curate the store. “We have a few rules: has to do what it’s advertised to do, it has to not crash, it can’t use private APIs,” or application programming interfaces, he said, adding that 95% of submissions are approved.
“Apple takes security very seriously,” a spokeswoman said. “We have a very thorough approval process and review every app. We also check the identities of every developer.”
Apple’s iPhone itself isn’t immune to mobile threats, either. Since 2008, security experts have identified at least 36 security holes in the phone’s software, according to a review of the National Vulnerability Database maintained by the Department of Homeland Security. One, identified in September 2009, could have allowed hackers to learn someone’s username and password from messages sent to servers when browsing the Web.
Some victims are now more cautious. Sara Dellabella, a car saleswoman in Cuba City, Wisc., said she doesn’t download as many apps on her Motorola Inc. Droid phone, which uses Google’s Android software, after a malicious game her son downloaded from the Android Market wiped out all of her text messages and personal notes. “It just rips your heart out,” she said. “I am being more vigilant now.”
Copyright 2009 Dow Jones & Company, Inc. All Rights Reserved
