Security Alert: Rogue Applications Competitiveness in the mobile-based business environment is precariously balanced on originality and the protection of ideas from being duplicated, misused or mutilated. Mobile Applications happen to be both the intellectual property and the identity of a brand. This means they must be secured both from the purview of regulatory compliance and the threat of identity theft. Rogue applications are a rapidly emerging attack vector in the mobile application topography. Prevalent among gaming, enterprise applications and antivirus software, the range of malicious activity that they can set off is quite alarming. These fraudulent applications intend to masquerade as rip-offs, free level upgrades and premium versions of popular applications in the market. Many variants can silently snoop around on a device, tapping into user activity on other apps and browsers. They could also prevent the execution of vital controls and functions. Data breach risks exponentially increase when these fake apps are installed on employee devices connected to corporate networks on BYOD policy. Rogue applications are easy to pull off because:
Companies often have very less control over how vigilant users behave when downloading applications from app stores and elsewhere on the web. Most rogue applications are equipped with a fraudulent code signing certificate that prevents devices from generating a warning at the time of installation. The login screens on most applications are generic and simple to clone and copy. Mobile users are accustomed to regularly entering their credentials into rather plain interfaces and rarely suspect pages inside an app they perceive as safe. Rogue applications bank on the user’s blatant disregard of precaution before downloading a free or premium application. These ripped-off apps manage to entice users by offering an originally paid add-on or version of an application for as low as a few cents or absolutely free. Since they clone and copy everything from the logo, to the description of the app as it were on the official site, many users fall for the ‘offer’. AudioEffect feature vulnerabilities in Android’s media processing component are known to give rogue applications access to sensitive privacy permissions which includes taking pictures, recording videos and reading mp4 files.
Impersonation – the stuff of nightmares for brand image, company values and credibility. There are now a total of 4.37 million malicious and high risk apps that comprise a major portion of impersonation threats like FakeID, Masque and Premium Service Abusers. Malicious app aggregators, modified and Trojanized apps have taken over the mobile app market. Repackaged applications are fraudulent versions of legitimate applications. Cybercriminals extract the code files
from them, add malicious changes and recompile them. A Pentester friend of mine pulls this off on a daily basis with minimal tools. The intent is to make quick bucks by inserting ads on the compromised application or just plain defacement (as if too many ads aren’t embarrassing enough). Companies often fail to detect these attacks until the poor ratings and reviews start popping up and by then, it could be too late, considering the instant influence that these ratings have on the user community at large. How Companies can buckle up: 1. App developers and organizations need to realize that the privacy of their customers, their sensitive data and brand image are under threat of damage, and misuse. 2. Developers or companies planning an app release must adopt a pervasive security assessment to understand when and where due diligence comes into play. Keeping abreast of the latest patches, firmware upgrades and new threat discoveries can be dizzying. Take the help of a security assessor with a sweeping radar vision of the threats common to your industry sector, geographical presence and platform-specific vulnerabilities. 3. Seek to understand how to secure your application interfaces from being copied or modified. Verifying checksum validation is a good start. Even a simple change in the checksum value indicates that the original application had been tampered with. 4. The publisher of the application has to be verified and has to be downloaded from the original source 5. Consult an expert security analyst in developing applications with unique site design components and ensure that your trademarks are protected in accordance with apposite statutory compliance requirements. 6. Work with a security strategist to build your marketing strategies around security. Letting customers know as and when you release new version updates and features can help avoid the success of rogue apps in damaging user experience. 7. Adopt a security risk assessment program that integrates people, process and technology (tools). Intelligence-led situational risk analysis that helps in realizing optimum returns out of your security budget. Aleph Tav Technologies strives to enable mobile and web applications to remain secure all the way. Talk to us for a forthright assessment of your application security and to appropriately enhance and perpetuate resistance. Our services include: Ethical Hacking, Managed Security Services, Application Security, Network Security, Security Testing, Enterprise Security, Security for IoT, SCADA Security, Digital Forensics