Copycat apps, runaway coding a growing threat, RSA panel says

SAN FRANCISCO -- A panel of mobile security experts painted a bleak picture of the state of mobile application security, warning IT security professionals that the prospective exists for the emergence of weaponized mobile apps on Google Android and Apple iOS devices.

At some point the applying developers are going to need to follow some kind of code ethics and responsibilities.

Ward Spangenberg,
director of security operations, 
Zynga Inc.

Dozens of copycat apps, designed to imitate popular games, can provide application developers access to a growing pool of victims, in step with the panel of experts discussing mobile application security issues Wednesday at RSA Conference 2012. Currently, adware and spyware is an issue, where applications collect as much personally identifiable information as they are able to with the goal of marketing the knowledge to a third-party, said Elias Manousos, CEO of RiskIQ, a corporation that gives code analysis for Android and Apple application marketplaces.

“Some of those apps don't even work; it really is relevant because there are actually hundreds or even thousands of apps that do nothing,” Manousous said. “The running theory here's that they're there to drive traffic.”

Manousous said a cybercriminal who has hundreds of applications in an app store won't currently have a working exploit, but sooner or later they may theoretically installed an iFrame and launch a pop-up inside an app with malicious intentions. Apps installed on thousands of machines could give an attacker the foothold they have to turn them right into a malware delivery mechanism, he said.

Considering, engineers behind the favored app stores are starting to monitor them in a sandbox environment.

Ward Spangenberg, director of security operations, at San Francisco-based Zynga Inc., an organization known for developing popular gaming apps including Words With Friends and FarmVille, has a team that's devoted to hunting down copycat apps and getting them shut down as fast as possible. The team conducts its own code analysis on copycat apps and has found some coded to steal credentials or just designed to reap as much user data as possible.

“As consumers we will need to pressure these brands into giving some protection,” Spangenberg said. “At some point the applying developers are going to need to follow some sort of code ethics and responsibilities... We're all shifting a number of the blame around but there are responsibilities for everyone in terms of these devices.”

The panelists said the threats posed by rogue mobile applications extend to the enterprise. Some firms are already taking a cautious option to protecting Android and Apple devices. Microsoft deliberately locks out mobile devices from obtaining sensitive corporate data, said Mike Convertino, director network security at Microsoft. Convertino said his team constantly monitors for network anomalies and ensures that mobile devices can't cache sensitive information from corporate servers. “We are really strict,” he said. “The screens are small and a few of this knowledge doesn't really manifest itself well at the phone anyway.”

Convertino said malicious applications are evolving from being junkware that collect personal data to making a botnet out of infected devices in certain countries. The bots may be used by cybercriminals to conduct DDoS attacks at will, he said. Microsoft is taking steps to strengthen its new app store with protection by incorporating both static and dynamic code analysis, he said. Additionally, developers shall be required to run a malware scanning program and apply the end result of that program with the application submission, he said.

Even more cautious is Zynga, Spangenberg said, which has not to only monitor devices for malicious activities, but in addition track the devices so sensitive gaming development data doesn't fall into the incorrect hands. The corporate uses its own internal application store and has developed its own custom app to trace devices and make sure they're meeting security policies. Spangenberg said he's considering using radio frequency identification technology to maintain one of the crucial most sensitive devices from leaving certain areas in the company.

“We all be capable to installed controls and address this issue,” he said. “This isn't our first rodeo so that you should just consider the recent environment.”

View all of our RSA 2012 Conference coverage.

Dig Deeper

• People that read this also read...