Wednesday, October 24, 2012

Don't Surrender to Your Smartphone



Me: Hello Smartphone App

Smartphone App: Hello User, may I have your contact list, IMEI #, Camera, Email account username and password, Bank Account #, Routing # and Geolocation?

Me:  Sure, why not?  I just need to check the status of a “friend” on “Twit-face-square-link-book.com” right now!
I recently attended the Innotech conference in OKC and sat in on the Android (in)Security presentation given by Georgia Weidman (very entertaining).  During the presentation she demonstrated how malware could be installed on an android device as a shim to the driver for sending and receiving text messages so that the phone could be manipulated into receiving botnet C&C messages via SMS and the user would never see these messages on their phone.

Most smartphone vendors these days require developers to disclose what permissions are used by their app before you download it.  This permission model allows users to make informed decisions about which apps they allow on their phone and gives the user control over how their phone is being used.  At least that's the idea behind it.  So, do you know what permissions your phone is using?
This application can access the following on your phone:

 Your personal information 
  • Allows an application to add or change the events on your calendar, which may send email to guests. Malicious applications can use this to erase or modify your calendar events or to send email to guests, 
  • Allows an application to read all of the calendar events stored on your phone.  Malicious applications can use this to send your calendar events to other people, 
  • Allows an application to read all of the contact (address) data stored on your phone.  Malicious applications can use this to send your data to other people, 
  • Allows an application to modify the contact (address) data stored on your phone.  Malicious applications can use this to erase or modify your contact data. 
Your messages 
  • Allows an application to write to SMS messages stored on your phone or SIM card.  Malicious applications may delete your messages, 
  • Allows an application to read SMS messages stored on your phone or SIM card.  Malicious applications may read your confidential messages. 
Your location 
  • Access course location sources such as the cellular network database to determine an approximate phone location, where available.  Malicious applications can use this to determine approximately where you are, 
  • Access fine location sources such as the Global Positioning System on the phone, where available.  Malicious applications can use this to determine where you are, and may consume additional battery power. 
  • Create mock location sources for testing. Malicious applications can use this to override the location and/or status returned by real location sources such as GPS or Network providers. 
Network communications 
  • Allows an application to create network sockets. 
Your accounts 
  • Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords, 
  • Allows applications to sign in to Google Calendar using the account(s) stored on this phone, 
  • Allows applications to sign in to the Google mail services using the account(s) stored on this phone, 
  • Allows an application to perform operations like adding, and removing accounts and deleting their password, 
  • Allows an application to request authentication tokens.  
Absolutely no mention of malicious activity for Your Accounts and passwords?  (That must mean that all my accounts and passwords are uber safe, right.)
 
Phone calls 
  • Allows the application to access the phone features of the device.  An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like. 
Hardware controls 
  • Allows application to take pictures with the camera.  This allows the application at any time to collect images the camera is seeing. 
System tools 
  • Allows an application to change the state of network connectivity, 
  • Allows an application to change the current configuration, such as the locale or overall font size, 
  • Allows an application to modify the system's settings data.  Malicious applications can corrupt you system's configuration, 
  • Allows the application to mount and unmount filesystems for removable storage, 
  • Allows an application to prevent the phone from going to sleep, 
  • Allows application to retrieve information about currently and recently running tasks.  May allow malicious applications to discover private information about other applications, 
  • Allows an application to change the phone's time zone, 
  • Allows an application to modify the APN settings, such as Proxy and Port of an APN, 
  • Allows an application to modify your currently synced feeds, 
  • Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.  
But wait there's more...
 
Your location  
  • Access extra location provider commands.  Malicious applications could use this to interface with the operation of the GPS or other location sources.  
Network Communications  
  • Allows an application to view the state of all networks, 
  • Allows an application to view the information about the state of Wi-Fi. 
Your accounts  
  • Allows an application to get the list of accounts known by the phone, 
  • Allows applications to see the usernames (email addresses) of the Google accounts you have configured.  
Hardware controls  
  • Allows the application to control the vibrator.  
System tools
  • Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running,
  • Allows an application to disable the and any associated password security.  A legitimate example of this is the phone disabling the keylock when receiving an incoming phone call, then re-enabling the keylock when the call is finished,
  • Allows and application to expand or collapse the status bar,
  • Allows an application to get details about the currently synced feeds,
  • Allows an application to read the sync settings, such as whether sync is enabled for Contacts.
  • Allows an application to read the synced stats; e.g., the history of syncs that have occurred.
And a few extras just for fun (really, is there anything more fun than hacking, well, I meant penetration testing for research purposes, when you have permission?)

Manipulation of your physical life
  • Allows an application to interact with other people on your behalf.  Malicious applications will use this to send text messages to premium phone numbers to run up unauthorized charges to your phone bill.
  • Allows an application to join a botnet and send and receive command and control messages.  Malicious applications will use this to allow hackers and cyber criminals to take over your device.
  • Allows an application to reset the password to your online banking accounts.  Malicious applications will use this to prevent you from checking the balance of your accounts when suspicious activity alerts start showing up in your inbox.
  • Allows an application to delete email and SMS text messages from your phone. Malicious applications will use this to prevent you from reading the alerts about suspicious balance transfers from your online banking accounts.
  • Allows an application to upload pictures from your phone to botnet operators and hackers.  Malicious applications use this to find compromising photos that will be used for blackmail or general embarrassment.
  • Allows an application to record phone calls and from your phone to botnet operators and hackers.  Malicious applications will use this to gather information about you that can be used to still your identity.

There have been hacks and mods available for some time now to pry your personal information out of the hands of shoddy developers, greedy marketers and dubious botnet operators and give control over your smartphones and mobile devices back to you, the user.  Take for instance the Cyanogen rom for Android.  So why are users so complacent about giving out every permission that their favorite app asks for?

I am bothered by the fact that apps like Facebook come preloaded on my device, automatically start during the boot cycle and then do not allow me an option to uninstall this ridiculously invasive app unless I root my phone and manually delete it myself.  I'm appalled by developers and vendors that think this is acceptable behavior.  It is high time that users stand up for their privacy and tell vendors why these types of marketing gimmicks are unacceptable and unethical!

On a brighter note, I actually found an app the other day that claims to require ZERO permissions!  ABC Touch Lite on the Android is a cool little app that my kiddos can use to learn to draw the alphabet.  Wow, how is that possible?  Can an app actually function without needing to see the password to my email account?

 If you are interested in having some fun testing out the security on your smartphone, check out Georgia's Smartphone Pentest Framework.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)