Apps are biggest smartphone security threat

Apps are biggest smartphone security threatSpeaking at last week’s Infosecurity Europe event in London, Veracode’s founder and CTO, Chris Wysopal (pictured), told attendees that apps are the biggest security threat to smartphone users.

Chris explained that there are two types of threat; apps that are intentionally malicious, and those that are inadvertently vulnerable.

A list of threats mentioned by Chris includes:

  1. Activity monitoring and data retrieval
  2. Unauthorized dialing, SMS, and payments
  3. Unauthorized network connectivity (data exfiltration or command & control)
  4. UI (unique identifier) impersonation
  5. System modification (rootkit, APN proxy configuration)
  6. Logic or time bomb
  7. Sensitive data leakage (inadvertent or side channel)
  8. Unsafe sensitive data storage
  9. Unsafe sensitive data transmission
  10. Hardcoded password/keys

Chris suggested that mobile app stores should consider using the above list to conduct a security review of submitted apps.

“Apple is famous for their walled garden and has an approval process”, Wysopal said. “But it’s not clear that they are looking at security issues. They seem to care about user experience and policies.”

Chris reckons Windows Phone 7 has the "strongest" security process for apps.

Android has had its fair share of problems recently. Just a few days after users were warned to avoid third party vendors and stick to the official Android Market, apps infected with malware turned up on – you guessed it – the official Android Market.

via: Info Security

Read more about: AndroidiOSWindows Phone

Add a comment

JanSt / MOD  Apr. 26, 2011 at 12:52

Studies show that surfing the web on a PC one is targeted about every 50 seconds. What is the most popular desktop OS? Exactly, the least secure one. What does that tell us?

Andy247  Apr. 26, 2011 at 16:38

It tells us that hackers target the most popular and widespread systems to get a better hit rate... hang on... was that rhetorical?

JanSt / MOD  Apr. 26, 2011 at 20:54

It could have been - if you want?! :p


You don't need an account to comment. Just enter your email address. We'll keep it private.