The current state of mobile security

The CarrierIQ story has been the dominant topic on mobile security over the past week or so, but I believe this is far more important to pay attention to.

The Register – Android glitch allows hackers to bug phone calls

Yes, it’s important to realize that the mobile operators are pre-installing monitoring software onto your phone, but there’s no evidence that major privacy violations have occurred.

Now with this other (far less reported) story, there appears to be a privilege escalation type attack in Android.  Normally, when installing an app, you are informed of all system access requested by that app.  Then you have a choice whether or not you want to install that tetris clone that mysteriously requires access to your text messages.

Apparently there’s a hack that allows an app to access some things that it doesn’t request permission for.  Specifically demonstrated by the researchers were the ability to send text messages, record sound, and reboot the phone (which is not something that any app should be able to do at all).

Because the Android Marketplace does not have any code review before posting apps, this could lead to a rogue app that could steal information from those who install it.  It doesn’t even have to be a shady looking application…a smart attacker would take the time to code a useful app that performs some function very well.  It would secretly capture information and send it off to the attacker for further use.

This could go undetected for a long time.

Or it could be happening already.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s