Smartphone apps may pose security risk
Posted: Sun Nov 14, 2010 4:43 pm
Smartphone apps may pose security risk
By Sebastian Knoppik.
"Berlin - Most computer users know to go online only with proper security software in place. They don't always think to do the same when using smartphones, even though smartphones represent an ever-growing share of internet-ready devices. This negligent attitude is unwise, experts warn. "
Viruses, worms, and Trojans: Almost all users are now aware that these malicious programs can infect computers. Many users know to use software to guard against them.
Yet there's little consideration of the fact that smartphones are essentially pocket-sized computers and as such are vulnerable to infection by viruses. The consequences could be more than just non- functional devices. In theory an attacker could undertake a major raid on the user's data.
Telephone calls have become a secondary function of many smartphones. Users can download numerous small programs known as apps onto the handset to add in extra functionality. These applications are often free and can perform tasks ranging from finding the closest post box, navigating a city, or simply playing a game.
'A smartphone is nothing less than a mini high-performance computer,' says Toralv Dirro, an expert at anti-virus maker McAfee.
Yet because smartphones don't look like a computer, many users forget to take security into account, Dirro says. It's a bad step to skip, however.
'The security issues are the same as for computers,' he says. Apps can often access the user's personal data, including the telephone book and current location via GPS. Yet in the words of Sascha Pfeiffer from anti-virus maker Sophos, 'There are extremely few programs that really need access to my data.'
Yet it seems that every application nevertheless wants access to as much as possible, which opens the door for dodgy or even criminal providers to sneak in. About a fifth of the roughly 48,000 apps available for the Google mobile OS Android are a security risk, a recent study by mobile security specialists SMobile Systems found. They allow other programs to have access to personal information.
Giving applications access to the user's data can have fatal consequences, explains Daniel Bachfeld, editor of German computer magazine c't. He's seen apps that clandestinely forward copies of all SMS messages, or even turn the cell phone into a listening bug or hidden camera.
Other programs automatically call up pricey toll numbers without the user noticing it. Says Bachfeld, 'That can quickly and easily turn into a lot of money.'
While the makers of mobile operating systems
offer platforms to distribute the apps, they offer little real protection against this problem, Dirro says.
'Apple does check its apps before publishing them,' he says. But that process is less focused on security holes in the programs than on their functionality. Google's Android system offers no controls at all. 'Any developer can publish their apps on it,' says Dirro.
Criminals have already started writing smartphone viruses like those seen on personal computers. The German Federal Agency for Security in Information Technology
(BSI) identified an iPhone worm named iKee last year.
Yet a grain of salt is needed here. The threat from viruses, worms and Trojans on smartphones remains very low, the experts say. 'You can forget about it,' says Sophos employee Pfeiffer.
His colleague Dirro from McAfee presumes that the threat will increase in the future, though. Pfeiffer believes, however, that programs that damage the device will not be the focus in the future.
The biggest threat is and remains apps that spy on the user's data, because they offer attackers many more benefits. 'Why should I destroy a telephone when the device can potentially cause much more damage in a functional state?' Pfeiffer says.
Because the virus threat on the mobile phone remains relatively low, there has been little security software written specifically for smartphones. Bachfeld even advises against installing those programs since there's not that much danger right now.
'It's not necessary at the moment,' he says. McAfee expert Dirro instead recommends that users always install the security updates for the mobile operating system on a regular basis.
There is no technical protection against dodgy apps. The best security method is a healthy dose of scepticism, the experts say. 'Rational behaviour is required,' says Sophos expert Pfeiffer. Red flags should fly if an app can only be installed by allowing comprehensive access to the device's data.
By Sebastian Knoppik.
"Berlin - Most computer users know to go online only with proper security software in place. They don't always think to do the same when using smartphones, even though smartphones represent an ever-growing share of internet-ready devices. This negligent attitude is unwise, experts warn. "
Viruses, worms, and Trojans: Almost all users are now aware that these malicious programs can infect computers. Many users know to use software to guard against them.
Yet there's little consideration of the fact that smartphones are essentially pocket-sized computers and as such are vulnerable to infection by viruses. The consequences could be more than just non- functional devices. In theory an attacker could undertake a major raid on the user's data.
Telephone calls have become a secondary function of many smartphones. Users can download numerous small programs known as apps onto the handset to add in extra functionality. These applications are often free and can perform tasks ranging from finding the closest post box, navigating a city, or simply playing a game.
'A smartphone is nothing less than a mini high-performance computer,' says Toralv Dirro, an expert at anti-virus maker McAfee.
Yet because smartphones don't look like a computer, many users forget to take security into account, Dirro says. It's a bad step to skip, however.
'The security issues are the same as for computers,' he says. Apps can often access the user's personal data, including the telephone book and current location via GPS. Yet in the words of Sascha Pfeiffer from anti-virus maker Sophos, 'There are extremely few programs that really need access to my data.'
Yet it seems that every application nevertheless wants access to as much as possible, which opens the door for dodgy or even criminal providers to sneak in. About a fifth of the roughly 48,000 apps available for the Google mobile OS Android are a security risk, a recent study by mobile security specialists SMobile Systems found. They allow other programs to have access to personal information.
Giving applications access to the user's data can have fatal consequences, explains Daniel Bachfeld, editor of German computer magazine c't. He's seen apps that clandestinely forward copies of all SMS messages, or even turn the cell phone into a listening bug or hidden camera.
Other programs automatically call up pricey toll numbers without the user noticing it. Says Bachfeld, 'That can quickly and easily turn into a lot of money.'
While the makers of mobile operating systems
offer platforms to distribute the apps, they offer little real protection against this problem, Dirro says.
'Apple does check its apps before publishing them,' he says. But that process is less focused on security holes in the programs than on their functionality. Google's Android system offers no controls at all. 'Any developer can publish their apps on it,' says Dirro.
Criminals have already started writing smartphone viruses like those seen on personal computers. The German Federal Agency for Security in Information Technology
(BSI) identified an iPhone worm named iKee last year.
Yet a grain of salt is needed here. The threat from viruses, worms and Trojans on smartphones remains very low, the experts say. 'You can forget about it,' says Sophos employee Pfeiffer.
His colleague Dirro from McAfee presumes that the threat will increase in the future, though. Pfeiffer believes, however, that programs that damage the device will not be the focus in the future.
The biggest threat is and remains apps that spy on the user's data, because they offer attackers many more benefits. 'Why should I destroy a telephone when the device can potentially cause much more damage in a functional state?' Pfeiffer says.
Because the virus threat on the mobile phone remains relatively low, there has been little security software written specifically for smartphones. Bachfeld even advises against installing those programs since there's not that much danger right now.
'It's not necessary at the moment,' he says. McAfee expert Dirro instead recommends that users always install the security updates for the mobile operating system on a regular basis.
There is no technical protection against dodgy apps. The best security method is a healthy dose of scepticism, the experts say. 'Rational behaviour is required,' says Sophos expert Pfeiffer. Red flags should fly if an app can only be installed by allowing comprehensive access to the device's data.