Posts

Mobile Apps Failing Security Tests

It’s been said that there are over a million different apps for the smartphone. Well, however many may exist, know that not all of them are passing security tests with flying colors.

6WYou may already be a user of at least several of the 25 most downloaded apps And what’s so special about the top 25? 18 of them flunked a security test that was given by McAfee Labs™ this past January. And they flunked the test four months after their developers had been notified of these vulnerabilities.

App creators’ first priority is to produce the next winning app before their competitors do. Hence, how secure it is doesn’t top the priority list, and that’s why there’s such a pervasive problem with security in the mobile app world.

Because these apps failed to set up secure connections, this opens the door for cybercriminals to snatch your personal information such as credit card numbers and passwords. And this is growing because this weakness in apps is so well known and it’s pretty easy for cybercriminals to purchase toolkits that help them infect smartphones via these vulnerable apps.

The technique is called a “man in the middle” attack. The “man” stands between you and the hacker, seizing your personal information. The “man” may capture your usernames and passwords for social media accounts and so much more—enough to open up a credit card account in your name and then max it out (guess who will get the bills); and enough to commit a lot of damage by manipulating your Facebook account.

So What Can You Do?

Here’s some tips to help you protect yourself from these unsecure apps:

  • Before purchasing an app, get familiar with its security features—read reviews and check what permissions the app is asking access to. You don’t want to end up with an app that accesses way more information about you than necessary for what you want the app for in the first place.
  • Download only from reputable app stores, not third-party vendors. This will reduce your chance of downloading a malicious app.
  • Don’t have your apps set to auto login. Even though it may be a pain when you want to access Facebook, it’s better to be safe than sorry.
  • Make sure you use different passwords for each of your apps. Sorry, I know that’s a hassle, but that’s what you must do. And make sure your password is long and strong.

Here’s to staying safe on our mobile devices.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Android Apps Infected With A Virus

Are you one off the 33% of all mobile phones running the Android operating system?  The official Android Market is run by Google and there are over 150,000 applications with an estimated 3.7 billion downloads. More than 250,000 applications have been downloaded with a malicious virus.

The LA Times reports “Google is remotely removing virus-infected Android apps from thousands of phones and tablets in its continuing cleanup of what has become known as the “Droid Dream” scare. Last Tuesday, Google removed 21 free apps that were hacked and loaded with malware, and then distributed on the company’s Android Marketplace.”

Newer reports say more than 50 apps have been infected and removed.

From Google’s blog: “For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data.”

In response Google is remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.

You may be consider this a violation of your privacy that Google can just go into your phone like that, but, first, you agreed to it in their terms and conditions and second they are doing you a service and protecting you from a potential identity theft situation.

Google is sending out emails to all those affected and sending notification via the device itself to let you know what has happened.

If you are unsure if your phone was infected or simply want to be safe, I’d suggest backing up your phones data and re-install the operating system. Contact your carrier or visit your phones manufacturer for instructions.

Robert Siciliano personal and home security specialist to Home Security Source discussing mobile phone spyware on Good Morning America.