Research conducted in the United States shows that almost 10% of the most popular mobile phone apps are potentially vulnerable to hacking, as they contain hard-coded functions that are unknown to users.
Computer technology has permeated all aspects of our lives, and this raises important questions about how data about us is used and how securely it is stored. This topic was discussed at the IEEE Computer Society online Symposium on security and privacy, held in the United States.
Hidden application algorithms
Among the published reports, attention is drawn to a study of one of the aspects of cybersecurity problems, conducted by a group of scientists working on the campus of Ohio University (USA). They found that a large number of mobile phone apps contain hard-coded secret algorithms that allow them to gain secret access to the owner's personal data or block content uploaded by the user.
We came to a disturbing conclusion: apps installed on mobile phones may have hidden and malicious behavior that users don't know about, said one of the study participants, Zhiqiang Lin, an assistant Professor of computer science and engineering at Ohio State University. As a rule, programs interact with phone users by processing the personal data they enter, Lin explains. For example, users often need to click buttons, enter certain phrases, and launch slides, which encourages apps to perform various actions.
During a large-scale project, the research team evaluated 150000 applications. They selected 100000 of the best based on the number of downloads from Google Play, 20000 popular in the alternative market, and 30000 from pre-installed programs on smartphones with the Android operating system.
They found that 12700 of the apps studied (about 8,5%) contain what the group called "backdoor secrets". This is the nickname for hidden functions that accept a certain type of content without the user's knowledge. The researchers also found that individual applications are initially equipped with built-in "master passwords" that allow third parties who have a password to access the program and your personal data registered in it. It is established that some applications have secret access keys that can trigger hidden options, including payment bypass.
Phone users are at risk if an attacker has obtained these "back door secrets", Lin said, adding: in fact, motivated attackers can quite easily reverse engineer the program to detect hidden secret codes.
Censorship of content
Another participant in this study (lead author), Qingchuan Zhao, a researcher at Ohio State University, said that their group also found 4028 programs (about 2,7%) that blocked content containing certain censored keywords. These are mostly expletives aimed at racial and gender discrimination.
That apps can restrict certain types of content is not surprising, but the way they did it in smartphones was unusual: "stop words" were checked locally, not remotely, Zhao noted. On many platforms, user content can be moderated and filtered before it is published. Facebook instagram and Tumblr are already restricted by some social networks, including Facebook, Instagram, and Tumblr.
In this regard, there is a problem, continued Zhiqiang Lin. People may know that there are a number of words that are prohibited from communicating on web platforms. However, they may not know the contents of the entire blacklist or any specific examples. If they use one of these phrases unknowingly, they will not understand the reasons for automatically blocking content without their knowledge. In this way, end users may wish to clarify a vague content situation by requesting the publication of a complete list of prohibited words.
To help developers understand the weaknesses of their software and demonstrate that the reverse engineering process can be fully automated, the research team presented an open source tool called InputScope, available for free to all interested parties.
Taking into account the above, the management of the web Studio of Alexander Ivanov (Avacym.Ru, Moscow) strongly recommended that employees involved in promoting customer sites do not install or use the Sberbank Online app on their personal mobile gadgets.