My app just did WHAT with my data??

New! Upgraded! Finally, the phone I want…and more than you bargained for with Apps if you’re not careful – 4D5A Security can vet your apps and keep you safe during the holiday season.

The mobile application marketplace is flooded.  Regardless of the rigor certain application marketplaces implement (e.g. Apple’s App Store), there is still potential for nefarious applications to find their way onto your mobile device.  These apps could cause potential harm and extract sensitive data if you aren’t careful.  Additionally, applications with the purest of intent may be doing very insecure things with your data that can also lead to inadvertent exposure.

Let’s discuss exactly what nefarious things could happen within a mobile application that might put your data at risk:

  • Improper or abused application permissions
    Why does my flashlight app need to access to my contacts?  That’s a great question, and one indicator that the free light may come at the cost of exposing your address book to people with bad intentions.  Applications should operate on the principle of least privilege, meaning that if they don’t need access to certain phone functionality, then they should not be requesting it.
  • Insecure local storage
    This is actually more common than you might expect.  Applications often store data in local databases on the phone.  An application may store sensitive banking information in a local database that gets synced periodically via a web service.  However, the local database may not encrypt your sensitive information while it’s stored on the phone.  The database may also be stored in a location that is accessible to other applications and not protected within the application sandbox.  Finally, your data may be encrypted, but the decryption key may not be protected (dial 1-800-pwng for more information :0).  For example, the key may be hard-coded into the binary, where a simple revere engineering exercise can expose the key and your data.
  • Inappropriate communications
    Often times, applications may seem fairly safe or benign when analyzing them from a static state.  The code seems safe, the permissions are not misaligned with the intended purpose, and the data is being handled appropriately on disk.  But suddenly when you actually begin to run the application, it starts to pilfer data to random locations and IP addresses across the globe.  This is an example of an application that is communicating with sources that it shouldn’t be and is a tell tale sign that something is amiss.

The solution. 4D5A can conduct a comprehensive security review of your mobile application, whether it has been developed internally or is a 3rd party application.  We will test for all areas regarding mobile security including dynamic runtime analysis of the application to ensure it isn’t communicating with bad actors.  We can review the local storage of data and verify that proper encryption mechanisms are in place as well as determine how accessible the data is locally.  We can analyze the application in a static and dynamic state to ensure your interactions with the application are safe.

One of our own, Ken Dunham, wrote the first book in this space and has a more recent book on analysis of Android threats.  Contact 4D5A for a mobile application security assessment today.