NEWS FLASH: You Can't Trust Any App

Category: Mobile

A new vulnerability that hackers can exploit to steal passwords and even take pictures of checks for fraudulent uses has been found in the Android operating system, and it probably exists in other mobile platforms, too. Like the recently discovered USB flash memory vulnerability, this one is deeply embedded in many, many products. And neither flaw is going to be fixed any time soon. What to do? Read on...

It's a Dangerous Mobile World

In a recent article I explained why it could be dangerous to simply connect a USB flash drive to your computer. Are you ready for more bad news? No app is safe -- even ones from the most trustworthy sources. Here's why...

This new vulnerability exploits the fact that multiple apps running on one device have free and equal access to a “scratch pad” block of memory. Apps write things to this shared memory that they need to “remember” temporarily; for instance, the open/closed state of a Web browser window. Because the shared memory is accessed frequently, it’s open to all apps all the time. Any running app can use the scratch pad – and see what other apps have written there.

This isn't a software bug -- it's an integral part of the design of the Android operating system. And before you breathe a sigh of relief because you use an iPhone, iPad, or Windows mobile device, you should know that the researchers who identified this vulnerability believe it also exists in those operating systems as well.
Unsafe Apps?

Here's how it works: A malicious app watches what's happening in the shared memory area to anticipate the next move of a popular app, and then captures sensitive data as it whizzes by. This is similar in concept to "wifi sniffers" that monitor unsecured data streams at coffee shops where free wifi is offered. But all the action here is taking place right on your mobile device, without regard to whether or not your Internet connection is encrypted.

For example, a malicious app may note that your Web browser has a login window open. The malicious app can then anticipate that you are about to enter your username and password. The malware can be ready with a keylogger that captures your credentials. Likewise, if you open your Chase banking app and start setting up to take a photo of a check for electronic deposit, a malware app can detect your preparations and be ready to capture a copy of the check image.

Is Your Favorite App Vulnerable?

The researchers created a malware app that successfully captured Gmail login credentials on 92% of its attempts. Many other popular apps from name-brand companies like H&R Block and Amazon were also hacked; Amazon had the “best” performance, being hackable on only 48% of attempts; so the “best” is not very good at all.

While writing this article, I recalled my experience in programming for IBM mainframe systems. If there was any attempt to read or write from a chunk of memory not specifically allocated to your program, you'd get an "Oh Charlie Four" (0C4) message, and your program was immediately terminated by the operating system. Problem solved!

All reports of this vulnerability include the same old advice to users: “Don’t install untrusted apps, or apps from untrusted sources.” That glib warning begs the question, “How can you trust any app source?”

The major app stores such as Google Play, Apple Store, etc., cannot be relied upon to keep out all the malware that developers upload. It’s a constant game of Whack-A-Mole: malware is uploaded; users download it; users complain about it; app store deletes it. in some cases, automated tools can detect and remove malicious apps, but that's still a developing technology, with an "arms race" similar to what happens in the desktop antivirus industry.

But during its brief life in an app store, a malicious app may be downloaded by tens of thousands of unsuspecting users. “Avoid sketchy apps,” the sages say, and they vaguely warn against apps that offer wallpaper or background images. More helpful advice would be to avoid apps that are newly released, those that have only a few reviews, and ones with less than a million downloads. But that advice is likely to be heeded by only the savviest and most security conscious users.

“Look for digitally signed apps” is another piece of impractical advice. A digital signature supposedly guarantees that a program has not been altered since its author “signed” it. In theory, there should be no malware hidden in there unless the author put it there. The digital template from which digital signatures are derived is registered with a “certificate agency” that verifies a signature’s integrity and origin each time a program is opened or installed. If the signature is not what it should be, the program has been altered and the user should beware.

Unfortunately, certificate agencies charge money, and developers don’t want to spend it. An app may be launched with a digital signature, but even that doesn't guarantee it's safe. According to one security firm I spoke with, some malware developers are starting to digitally sign their wares.

There are steps that app developers and operating system designers can take to solve or minimize this problem. One obvious idea that comes to mind is to encrypt data before writing to the shared memory area. Or add protections at the system level that prevent apps from seeing what other apps are doing. I can also envision an anti-malware tool that looks at the behavior of other apps, specifically those that are constantly sniffing around in the shared memory area. But those things are not likely to happen soon.

Don't misunderstand what I'm saying here. There's no insinuation that the Gmail, Chase Bank, H&R Block, or Amazon apps are insecure or untrustworthy. Neither am I saying that there's an unpatched security hole in the Android or iOS operating systems. What I am saying is that the design of those systems makes it possible for a bad app to steal data from good apps. Such apps may already exist, so awareness is the key.

The bottom line is that you cannot trust any app, nor any source of apps, one hundred percent. Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 2 Sep 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Over 1 Billion Passwords Stolen

The Top Twenty
Next Article:
Geekly Update - 03 September 2014

Most recent comments on "NEWS FLASH: You Can't Trust Any App"

Posted by:

jack salemi
02 Sep 2014

Please keep us posted!

Posted by:

02 Sep 2014

I am seriously considering returning to pencil and paper! These malicious software and app developers are seriously getting old.

Posted by:

02 Sep 2014

I also remember programming mainframe systems in 1401 Autocoder, then in Basic Assembler Language and later in FPL and COBOL. As you said, each program was allocated a unique area of memory and was not allowed to violate other areas.
It seems that, yet again, the experience gained over many years on mainframe system is being ignored by those responsible for the newer operating systems.
Even a scratch pad area could be protected in this way.

Posted by:

Michael Brose
02 Sep 2014

iCloud was just hacked and the R-rated pictures of celebrities were published. First of all if you don't want it seen, don't have it taken. Secondly I thought iWhatever was impervious to attack. It was one of their brag points. Now we know what you said is true; NOTHING is safe anymore. Is this the beginning of the demise of the Internet as Al Gore knew it?

Posted by:

Bob K.
02 Sep 2014

In the hunter, and the hunted the hunters are usually the smarter ones.

Posted by:

Frank L
02 Sep 2014

Can formatting an "empty" new flash drive remove and hackers codes on it?

EDITOR'S NOTE: No, formatting doesn't affect the firmware.

Posted by:

02 Sep 2014

I agree with you David. At least when I used pen and paper I stood a chance at some privacy. This is getting pretty stupid!!

Posted by:

02 Sep 2014

That is why MS developed EMET, Go for Emet, It stops exploits:
Krebe On Security: 18;Jun 13;Windows Security 101: EMET 4.0;
> "Announcing EMET 5.0"

EDITOR'S NOTE: EMET is a Windows tool. It won't do anything for mobile threats.

Posted by:

Roger M
02 Sep 2014

Do the current Malware programs that work on IE work on Android systems?

EDITOR'S NOTE: No, you would need an anti-malware specifically for Android. See

Posted by:

02 Sep 2014

This disturbs me, greatly. I am fully aware, that many of games and utilities apps, can have malware on them. I do have avast! Premium on my mobile phone and it checks every download ... But, it is mainly, looking for viruses and the like, not malware. I also, have Malwarebytes on my mobile phone, but, you can only schedule "scans" for once daily. Of course, I can "scan" Malwarebytes anytime, but, I wish that Malwarebytes would "scan" the downloads, like avast! does.

I do try, to protect my Smartphone. The minute, I read that there were lots of vulnerabilities, in the Android Apps, and there were Anti-Virus apps becoming available, I got one. I knew, that it was important, for my safety.

I know, that I try to protect myself, the best I can. It is the only thing I can do and anyone else.

For those who do NOT have any protection on their Smartphones ... Please, get some. Most of the programs are FREE, that in itself, is great to hear. Do the FREE ones work? Yes! Just like the FREE ones for your PC or Laptop.

Posted by:

02 Sep 2014

It is time for the US and other governments to make malicious hacking, ID theft, and other similar "fun" a capital offence. I realize this sounds harsh, but these scum bags cost the US and world economies billions of dollars annually. They also destroy lives and families financially. It is time to stop it, or at least reduce it. We civilized folks need to up the ante. If we execute a few of these dweebs, only the very hard core will stay in the game, and more resources can be allocated to getting them as well. Whatdayathink out there?

Posted by:

02 Sep 2014

I think Gibbs of NCIS has it right, I still have my old flip phone to make and receive calls. No worries.

Posted by:

Bob C.
03 Sep 2014

IBM MAINFRAME Systems (Now Z/OS) have superior Error Handling Routines, the 0C4 error would be issued by Security Subsystem(RACF).

After many years of Mainframe Systems from Operations, Security, Problem Analyst, I am sorry but MS WIndows OS and Android OS from what I have observed are very hard to 'problem analyse' and nail down the actual problem, MS Knowledge Base gives you multiple 'try this', 'try that' etc...Android is similar.

With No System log or warning how would we even know that someone has hacked or compromised our data until its too late....You would not get away with most of the Security problems we see today in Windows and Android on a Mainframe system unless you had inside information and KNOW what you are doing...even then its hard.

Posted by:

03 Sep 2014

@ David and Angie, paper is good!
@ Bob, Cheque??? instead of check or is this an American spelling???
People seem to have become too reliant on Computers, and being invloved with a method of carrying on our lives (i.e. via Computers and Programs) that is controlled by Others. Seems like Natures rule prevails, wherever there are Organisms there will be Disease too.

Posted by:

03 Sep 2014

Should be "breathe a sigh of relief". Do some grammar checking before posting.

EDITOR'S NOTE: In fairness, it was a typo, not a grammar problem. But thanks for catching it. Fixed now.

Posted by:

Ed P.
03 Sep 2014

As far as I know every APP in iOS iPhone "plays" within its own sandbox and is not permitted access to other sandboxes. Doesn't this solve the problem?

EDITOR'S NOTE: To the best of my knowledge, there are shared memory spaces in iOS as well.

Posted by:

04 Sep 2014

I guess it's not paranoia if they are really out to get you...

Posted by:

04 Sep 2014

Sorry Bob but this sounds like FUD to me. Something that is possible doesn't make it likely to happen. There are so many possible apps using (or not using based on developers design) the scratch area that any malicious software trying to monitor that area would be large and slow, not easy to hide. On top of that 99.9% of the snooping would find the next move on angry birds.

EDITOR'S NOTE: What if the malicious app was only monitoring ONE app? As I mentioned, this was a proof of concept, and a caution.

Posted by:

Ellie H
08 Sep 2014

I have stopped downloading from CNET because of all the added stuff that comes with the stuff they're recommending

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- NEWS FLASH: You Can't Trust Any App (Posted: 2 Sep 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved