Standards for Mobile Applications
To increase industry awareness and dialogue about mobile app threats specifically, Veracode has established its “Mobile App Top 10 List.” The goal of the list is to serve as an industry standard for categorizing malicious functionalities and to serve as a checklist of vulnerabilities that developers and security teams can collectively utilize to determine what mobile app risks exist and how they can be effectively and efficiently mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to.
Most importantly, The Mobile App Top 10 can serve as the standard to which compliance must be demonstrated through independent testing, much like the OWASP Top 10 or CWE/SANS Top 25 are used for verifying traditional, third-party applications.
The Mobile App Top 10 List
There are 2 main categories of mobile app risks. The category of Malicious Functionality is a list of unwanted and dangerous behaviors that are stealthily placed in a Trojan app that the user is tricked into installing. The user thinks they are installing a game or utility and instead get hidden spyware, phishing UI, or unauthorized premium dialing.
A. Malicious Functionality
- Activity monitoring and data retrieval
- Unauthorized dialing, SMS, and payments
- Unauthorized network connectivity (exfiltration or command & control)
- UI Impersonation
- System modification (rootkit, APN proxy config)
- Logic or Time bomb
The category of Vulnerabilities are errors in design or implementation that expose the mobile device data to interception and retrieval by attackers. Vulnerabilities can also expose the mobile device or the cloud applications used from the device to unauthorized access.
- Sensitive data leakage (inadvertent or side channel)
- Unsafe sensitive data storage
- Unsafe sensitive data transmission
- Hardcoded password/keys
The Mobile App Top 10 Details
A. Malicious Functionality Details
1. Activity monitoring and data retrieval
Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved.
The following are examples of mobile data that attackers can monitor and intercept:
- Messaging (SMS and Email)
- Audio (calls and open microphone recording)
- Video (still and full-motion)
- Contact list
- Call history
- Browsing history
- Data files
2. Unauthorized dialing, SMS, and payments
Criminals seeking to monetize weaknesses in human nature and the mobile app distribution model can turn to premium rate phone calls and premium rate SMS messages. By including premium dialing functionality into a Trojan app the attacker can run up the victim’s phone bill and get the mobile carriers to collect and distribute the money to them. Mobile devices can also be used to purchase items, real and virtual, and have the cost billed on the customers mobile bill.
Another use of unauthorized SMS text message is as a spreading vector for worms. Once a device is infected a worm can send SMS text messages to all contacts in the address book with a link to trick the recipient into downloading and install the worm.
- Premium rate SMS – Trojan-SMS.AndroidOS.FakePlayer.a
- Premium rate phone call –Windows Mobile Troj/Terdial-A
3. Unauthorized network connectivity (exfiltration or command & control)
Spyware or other malicious functionality typically requires exfiltration to be of benefit to the attacker. Since mobile devices are designed for communication there are many potential vectors that a malicious app can use to send data to the attacker. A full function malicious program will often allow the attacker to direct commands to the spyware to for instance turn on the microphone or grab a data file at a particular time.
The following are examples of communication channels attackers can use for exfiltration and command and control:
- HTTP GET/POST
- TCP socket
- UDP socket
- DNS exfiltration
- Blackberry Messenger
4. UI impersonation
Phishing attacks on PCs work by tricking the user to click on a link in their browser which brings them to a bogus website impersonating the UI of their bank or online service. The UI asks the user to enter in their credentials. The attacker collects the credentials and uses them to impersonate the victim. On the mobile device there are new opportunities for attackers to perform UI impersonation. This can take the form of a web view application which presents a native mobile UI as a proxy to a native web app. With this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead they are getting an imposter that proxies information to the bank’s genuine website. When the user authenticates they end up sending their credentials to the attacker.
Another vector to impersonation is a malicious app popping up UI that impersonates that of the phone’s native UI or the UI of a legitimate application. The victim is asked to authenticate and ends up sending their credentials to an attacker.
5. System modification (rootkit, APN, proxy config)
Malicious applications will often attempt to modify the system configuration to hide their presence. This is often called rootkit behavior. Configuration changes also make certain attacks possible. An example is modifying the device proxy configuration or APN (Access Point Name).
6. Logic or Time bomb [CWE-511]
Logic or time bombs are classic backdoor techniques that trigger malicious activity based on a specific event, device usage or time.
B. Vulnerabilities Details
7. Sensitive data leakage [CWE-200]
Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties.
- Owner ID info: name, number, device ID
- Authentication credentials
- Authorization tokens
8. Unsafe sensitive data storage [CWE-312]
Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky.
- Citibank insecure storage of sensitive data
- Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in clear text.
9. Unsafe sensitive data transmission [CWE-319]
It is important that sensitive data is encrypted in transmission lest it be eavesdropped by attackers. Mobile devices are especially susceptible because they use wireless communications exclusively and often public WiFi, which is known to be insecure. SSL is one of the best ways to secure sensitive data in transit. If the app implements SSL it could still fall victim to a downgrade attack if it allows degrading HTTPS to HTTP. Another way SSL could be compromised is if the app does not fail on invalid certificates. This would enable that a man-in-the-middle attack.
10. Hardcoded password/keys [CWE-798]
The use of hardcoded passwords or keys is sometimes used as a shortcut by developers to make the application easier to implement, support, or debug. Once this hardcoded password is discovered through reverse engineering it renders the security of the application or the systems it authenticates to with this password ineffective.
The research team at Lookout Mobile Security provided great recommendations for improving the list.