I subscribe to a well-known security email newsletter. This morning one of their top articles caught my eye: "Most of the top 100 paid Android and iOS apps have been hacked."
STOP. Do not google this (yet). Let me finish, and then you can give the authors the page views they so desperately want.
A company that sells services to securely encrypt code (at least it appears to be their business model) has released a report about how many of the top 100 applications (paid and free) for both Android and iOS have been "hacked." So after reading the article (press release, actually), I dug a bit deeper, and then watched a very informative video about this issue, provided (conveniently) by the authors. This is where I want you to think twice about giving them their ad revenue and page views. After all, the devil is in the details.
So a hacker downloads (from the App Store) an application. They then back it up to a computer, or jailbreak their iOS device to copy the app package to a computer. Then, using well-known tools they are able to crack the encryption package on the application (as long as it is resident in system memory) and trace the code as the application runs. This does present one important concern for the vast majority of iOS app users - if there is an available exploit via Man-In-The-Middle attacks on communications between the app and a server, the hacker will be able to utilize that gateway to acquire data that is passed between the server and the iOS app (even if it is the official app on the App Store). This, of course, is going to be app-specific - so an app that doesn't transmit data to a private server isn't really a vector, but (for example) a banking app that communicates using SSLv3 would be. Of course, there are layers here. Assuming the data is encrypted (as it should be) and the public/private keys are still secure, then all the hacker has is a bundle of encrypted data that can't be decrypted until the keys are broken or stolen. And I'm paranoid, so let's assume that no small percentage of these apps still use hacked protocols or don't encrypt data at all. Your data that is transmitted from that application to the server is at risk. But here's the kicker. There's no discussion about this portion of the threat at all in the article or at the website of the authors. They are selling tools to encrypt your code and app, not data transmission between the app and a server.
So it's not like the application is hacked, code injected to steal additional information from your phone, and then somehow you get that hacked version of the app on your phone. Unless you jailbreak your device and then download duplicate copies of popular applications from an outside app store (such as Cydia). However this vector is also legitimate, assuming the hackers can inject code into the bundle, re-package it and then distribute it as a free alternative to the actual software from the actual vendor via a jailbreak app store.
In conclusion, the security article is fear mongering at it's best, and uninformative at worst. If a user does not jailbreak their device, and does not download applications from jailbreak stores, then the threat comes down to the overarching security of the app vendor, and what data they have access to on your phone. So the majority of the top 100 apps for iOS and Android have been hacked, and if those applications transmit secure data insecurely between the app and a server, you could be at risk. That's the real takeaway from this article, which you shouldn't go read unless you like sensational statistics.
Here it is.
Monday, November 24, 2014
Subscribe to:
Comments (Atom)
