Home

Partners

Remote Support Assistance

Management Team

Our History

Employment

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Managed Services

Information Security Consulting

Security Integration

Licensing and Maintenance

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Partner News

RSA

Earth Wave

McAfee

Check Point

Clear Swift

Palo Alto Networks

Blue Coat

Security Capabilities

Approach

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Services

Managed Services

Information Security Consulting

Security Integration

Licensing and Maintenance

Solutions

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Security News

eNEWSLETTER SIGNUP
Sign up here to receive our quarterly newsletter.

Remote Support Assistance
Join a Support Session with a Loop Client Support Services Engineer

mobile apps... the new breeding ground for cybercrime?

Mobile applications are all the rage at the minute, but has anybody thought about where the applications come from, who develops them and what motivates them to create these wonderful time saving gadgets, kooky games or ultra-cool must have utilities? These applications provide convenient access to email, bank and credit card data, personally identifiable information and travel itineraries which not only expose the individual but the enterprise to new types of security threats which are only emerging now.

Let’s look at the main players in today’s market place. At the forefront of mobile applications is Apple’s iStore, with applications developed for iPhones, iPads, iPod and anything prefixed with an ‘i”. Next in line is the Android Market, positioned, (you guessed it) for the Android device market. And finally the Ovi apps store by Nokia for Nokia.

Each of these application stores has a vast number of applications for countless mobile devices. However when trolling through the myriad of terms of service, privacy policies , help forums and troubleshooting guides, there was a distinct lack of information on what level security scrutiny these applications went through…if any at all?

That said each organisation does provide a policy statement which is mainly in place to protect legally them, not the end user. Worthy of special note though is the Apple disclaimer, which actually highlights this fact.

Apple Policy:
"Apple does not promise that the site or any content, service or feature of the site will be error-free or uninterrupted, or that any defects will be corrected, or that your use of the site will provide specific results. The site and its content are delivered on an “as-is” and “as-available” basis. All information provided on the site is subject to change without notice. Apple cannot ensure that any files or other data you download from the site will be free of viruses or contamination or destructive features. Apple disclaims all warranties, express or implied, including any warranties of accuracy, non-infringement, merchantability and fitness for a particular purpose. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site and/or any apple services. You assume total responsibility for your use of the site and any linked sites. your sole remedy against apple for dissatisfaction with the site or any content is to stop using the site or any such content. This limitation of relief is a part of the bargain between the parties."

Nokia’s policy is slightly better in the security stakes, but does again put the onus on the developer to be of solid moral fibre.

Ovi Policy:
"Not distribute or post spam, unreasonably large files, chain letters, pyramid schemes, viruses or any other technologies that may harm the Service, or the interest or property of the Service users."

Google Android has probably the most vague disclaimer of the three, stating that they reserve the right to look into what is hosted on Android Market, whilst eluding that they may actually perform some level of security screening of applications prior to making them available. But again is non-committal and loosely veiled in legal terminology.

Android Policy:
"8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable."

Being that the mobile application market is going through a boom period not seen before, this really poses the question: Is this also a new boom for cybercrime?

Reading each of the disclaimers and noting the loose wording wrapped around each of the providers may well indicate a ripe breeding ground for the development of nefarious or malicious applications.

There has already been numerous virus and Trojan developments in this area, so it’s not a long bow string to draw an estimate that applications are also being developed (if not already) to perform equally culpable activities for cyber criminals.

For example:
“According to kaspersky Lab, the latest Trojan, called SMS.AndroidOD.FakePlayer.b, appears to be a media player to the soon-to-be-infected phone user. Should an Android-based phone owner be unwise enough to search for pornographic videos, they might find that a variety of
Russian-language sites appear at the top of the search results.
According to Kaspersky's report on the new malware, 'the owners of these adult content sites are deliberately prompting Android users to download the new Trojan, while users of other platforms receive the desired content.'

Unlike many Windows-targeted viruses and trojans which are infecting merely by visiting a loaded web site, the Trojan-SMS must be manually installed by the user. The package, called porkplayer.apk is (supposedly) required to view the adult content videos. During the installation process, the software requests permission to send SMS messages, something that ought to seem odd to anyone installing a media player.”

So what is the solution? How do you know what you have downloaded for your mobile telephone is secure, free from added extras like malicious code and are not corrupt with backdoors?

The short answer is you don’t. Unless you are prepared to learn and use a specialised emulator to test an application, if you have specialist knowledge to look for this type of malicious embedded code, and if you have the time to invest, then it just becomes too hard and time consuming to test prior to using an application. In most cases, this means we tend accept any risks associated, mainly through laziness.

Most would have assumed (and rightly so) that applications were checked against some sort of criteria (however minor) prior to being made available to the greater public. However, we blindly trust that Apple, Google and Nokia, being such household names wouldn’t risk exposure or damage to their public image or market share - Therein lies the disconnect, they don’t really care, it’s not their application which is causing any of your concerns, they only host it (and have disclaimers to back it up).

Time will tell. If there is enough push back by consumers that dictates a requirement for mobile applications to pass some type of standard or criteria, then perhaps we may see something in the future. For mobile device use within the corporate network however, this is an issue which needs to be addressed now.

With McAfee’s Enterprise Mobility Management (McAfee EMM) enterprises can offer employees mobile device choice — like iPhones and iPads, as well as Android, Windows Mobile, and Symbian devices — while delivering secure and easy access to mobile corporate applications.

With secure mobile application access, strong authentication, high availability, scalable architecture, and compliance reporting in a seamless system, McAfee EMM brings the same level of control to mobile devices — including employee-owned smartphones — that IT applies to laptops and desktops. Comprehensive and robust management features enable IT to effectively secure its mobile workforce, ensure that policies and configurations are persistent, and deliver automatic and real-time compliance management. McAfee EMM also helps drive down support costs and overall TCO by leveraging the native capabilities of each enterprise’s existing data centre infrastructure and IT network, including directory services.

For more information on the McAfee EMM solution please contact Loop Technology today.

- Martin Quinn, Information Security Consultant