Thursday 17 October 2013

Mobile Threat Monday: Leaky Document Signing Apps and Ad-Packed Plagiarized Apps

Image via Flickr user Tiago A. Pereira
This week, we take a look at two very different potential threats to your privacy and your peace of mind. First we look at document signing apps, which though useful, might not be storing your documents in the most secure fashion. We also take a look at repackaged apps that copy-cat developers have stuffed with aggressive advertising.
Signedoc
Despite being pretty deep into the 21st Century, we're still required to sign physical documents and even asked to fax said documents. That's where the attraction of document signing apps comes in: these mobile applications will let you sign documents and then send them back to whoever requires your John Hancock.
But as Appthority found, some of these applications don't put security first. For instance, your documents are sent up to the cloud for processing, though you might not necessarily be aware of it. Also, Signedocs stores documents on your SD card. "This exposes private documents that can be picked up from other untrusted applications and used for data exfiltration," said Appthority.
Appthority also noted that Signedocs stores your password in plaintext on your device.
Worst of all, the documents you sign with Signedoc are stored online in a public server. The file name is hashed and obfuscated, so guessing the URL for the documents would be difficult if not impossible. But there's also no authentication in place to verify that only authorized people are looking at your documents. We've seen similar, though more pressing issues, with messaging apps in the past.
Signedocs is clearly not malicious, and the service it provides is genuinely valuable. But from the sound of it, the developers may need to tighten things down for the safety of their users. Especially because these documents are likely to contain personal identifiable information like Social Security numbers, birthdates, and so on.
Reverse Engineered and Repackaged Apps
According to Bitdefender, a surprising 1.2 percent of 420,646 applications on Google Play turned out be plagiarized. These 5,077 apps are 90 percent identical to other apps and in some cases have been repackaged with different ad networks and little thought to your private information.
"These duplicates or repackaged applications should not be mistaken for different versions of an app," said Bitdefender Chief Security Strategist Catalin Cosoi. "Here, it's about a publisher who takes an application, reverse-engineers its code, adds aggressive advertising SDKs or other beacons, then repackages and distributes it as his own." Bitdefender also pointed out that the process of unpacking an existing app is extremely simple.
Bitdefender told SecurityWatch that sometimes the repackaged apps only add a new advertising SDK, or change the Advertiser ID in order to make money from plagiarized apps. Other copy-cat developers are more aggressive, adding extra modules to put spam in the notification bar, report your location, access to your contacts, and more. This is a similar tactic to the fake Disney Princess wallpapers, which lured downloaders with images from popular films.
These copied apps are usually swiftly found and deleted by Google, along with the plagiarizing developer's account. But the cost of creating a new account is a mere $25, small change compared to the money a popular plagiarized app could bring in—some of which average between 1,000 and 5,000 downloads.
Copy-cat apps are bad for legitimate developers as well. Looking at the game Riptide GP 2, Bitdefender found four free copies of the game on Google Play. They estimate that the original developer lost between $6,000 and $31,000—depending on download figures.
Make sure when you download a free version of an app that it's made by the same developer as the for-pay version. You can also use security apps like our Editors' Choice award winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus to view what private information apps can access. Lookout has also become the standard bearer for adware, and should detect the more aggressive advertising SDKs.

No comments:

Post a Comment