Scientists expose alarming smartphone vulnerability
August 28, 2014
Leading banks and email providers had their security breached on 92 per cent of attempts, exposing hackers to sensitive personal and financial information.
The hacking method was discovered by computer scientists who found that the method hacked popular smartphone apps (Android, iOS and Windows) including Gmail.
The vulnerability involves exploiting GUI state changes that exist in every smartphone. To test the method, the scientists, from the University of California Riverside, installed an innocuous unsigned app, in this case a wallpaper changer, that carried a malicious code.
The code was able to monitor a newly exposed channel that reveals shared memory statistics with other processes. The researchers used this data to discover when "activity transaction events" were taking place.
These events included taking a picture of a cheque to deposit through the CHASE banking app or logging on to Gmail.
Having identified the crucial moment, researchers were able to enter the app unnoticed and, for example, take a second photo of the cheque to send to themselves, or extract personal email data.
This hacking method, detailed in a paper due to be presented at this week's USENIX Security Symposium in San Diego, will strike fear into the heart of many organisations, where a reputation for security is crucial.
Kashif Khan, VP Business Development at ENTWRX, said: "People like CHASE have invested a lot on their security, and this kind of news isn't good for their image.
"It doesn't really matter how good security is within an establishment such as CHASE's, as soon as you make yourself vulnerable by using a third-party app you may as well not have bothered.
"This is particularly true when you open your office documents with a third-party app. The most well-intentioned and diligent employee could be putting your enterprise at enormous risk."
There are two main strategies to minimise this appalling exposure. The first is, as professor of computer science and engineering Zhiyun Qian who led the research, told Wired.co.uk: "Don't install untrusted apps."
This is all very well, but as his work neatly proves, what is trustworthy and what isn't is not always apparent.
Alternatively, using a product such as ENTWRX's SecureWrx provides a way of putting a safe barrier between your organisation's data and the outside world.
Kashif added: "We don't provide security to stop other apps from gaining access. What we do provide is secure access to files that may potentially be exposed inside the app.
"Plus we don't rely on the UI engine from the OS to enable clients to see and use their files. This effectively means that using our products keeps your data inside a sterile container where - as we control every step of the process - you can be sure there is no risk of attack."
The other apps that succumbed to Prof Qian's attack were H&R Block, Newegg, WebMD and Hotels.com.