Smart phone, dumb risk

 If you want to use a 'smart' phone, you need to be even smarter about its security and the apps you choose to use

By Stephen Wilson

February 11, 2010

Sadly the 'smart' in smart phone turned out to be just a marketeer's tag-line, if the latest security breach is anything to go by.

In mid December, an anonymous developer released upwards of 40 mobile banking apps for Google Android phones.

Each app was customised and badged for a different bank or credit union. Without knowing anything about the developer except their handle '09Droid', and without having had anything to do with writing the apps, some of the institutions smelled a rat, and informed their customers. Just days later, Google removed all the apps from the Android marketplace.

It all happened so quickly that security experts are left wondering just what was going on. As far as I can tell, none of 09Droid's apps were publicly available long enough to be studied or disassembled. Presumably, Google itself has access to the code and, in time, we should hear more news.

But for now, we can only guess what 09Droid was up to. The possibilities are worrying, and should serve as a timely reminder that smart phones need smart security.

The most optimistic guess is that it was a simple money-making venture. The apps might have done nothing more than open a browser window and point at a bank's homepage. Each 09Droid app was priced at 99 pence, and if all they did was direct the user to their bank, then it was money for jam.

But if the apps were that easy to write, then we would expect to see more than a few dozen of them. Further, we should have seen apps for more of the household names, like Chase, Citibank or some of the Australian majors (Bank of Queensland seems to be the only local brand accorded the dubious honour of an 09Droid app).

So it's widely thought that the rogue apps were more sinister, that they may have been written to harvest account names and passwords. The list of affected institutions is a little unusual, with many big names conspicuously absent. Maybe 09Droid worked out a common vulnerability in the logon pages that enabled a Man-in-the-Middle attack to be built into the apps?

I'm pretty sure we can rule out organised crime in this instance. Over the years, large scale phishing attacks have fallen into a reasonably fairly predictable pattern, tending to target our Big Four, American Express, PayPal, eBay and the multinationals. Yet the Android apps by and large ignored these traditional quarries.

I compared one published list of 09Droid's apps against a database of the most phished financial institutions, and there's not a lot of overlap. The apps included Chase (second most phished), Bank of America (fifth), Abbey (sixth), HSBC (eighth), Fifth Third Bank (eleventh), NatWest (twelfth), Alliance & Leicester (fourteenth), LloydsTSB (eighteenth), Wachovia (nineteenth) and USAA (twenty-first). None of the other apps corresponded to common phishing targets, so it doesn't look like 09Droid has been working with the usual cyber criminals.

Regardless of the motivation, the possibility that malicious mobile banking apps could infiltrate the market is sobering.

Buyer beware
It's very early days in smart phone software. Business models and delivery mechanisms are in flux, as are customer behaviours. Personally, I would have expected a bit of good old caveat emptor. Why would anyone download a banking app from anywhere other than their bank's own site? I have to assume that some smart phone users might regard banking apps as much the same as games.

Google does not check or warrant apps on the Android marketplace, and it's not certain that it ever will. After all, Android is an open operating system, intended for any number of different smart phones. All that an Android developer need do is digitally sign their app before Google will upload it to the marketplace (developers don't even need to use commercial certificates, so they can remain anonymous and untraceable, like 09Droid). In the traditional personal computing market, operating system vendors (like Microsoft, for instance) take no responsibility for the countless independently written programs that users may install and run.

Of course, this laissez faire situation is one of the primary causes of poor cyber security. Dependable security in PC operating systems has been a long time coming. Security today remains incredibly fragile for it rests on a bewildering free market of ad hoc measures, like malware filtering, code signing, user-selected security levels, developer-selected testing and education.

We should all hope that a more coordinated approach is taken to smart phone software quality and security, before it's too late.

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity. Lockstep Technologies works on smart solutions to CNP fraud and ID theft.