Apple Pay

Security’s Less Than Stellar Week

It is hard to say enough good things about human ingenuity — written language, currency, flight, space travel and pocket-sized supercomputers all exist because someone (or a group of someones) saw an attainable goal where everyone else saw an insurmountable obstacle.

But the problem with ingenuity — and the innovations it gives rise to — is that not all clever people are good people and not every leap forward necessarily denotes useful programs.

As this week’s slew of security stories makes clear, not everyone wants to turn their technical skills and “never say die” attitude toward the goal of bettering mankind — especially when stealing the data out of mankind’s smartphones is a much more directly lucrative career path.

This week’s adventures in data (in)security kicked off with the discovery that keyboard software native to about 600 million Samsung devices leaves them open to hijacking. The fun things that researcher Ryan Welton was able to access by exploiting that flaw included eavesdropping on phone conversations, rummaging through text messages and contacts, and turning on the microphone to capture audio. The exploit is rooted in the SwiftKey keyboard, which is configured to look for language pack updates over unencrypted lines.

Reports also emerged this week that Samsung has been aware of the security flaw related to SwiftKey since 2014. Yet the march toward fixing the problem has been less than, ah, swift.

“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” the NowSecure report on the vulnerability stated. “In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”

However, a Samsung security flaw that potentially has given hackers an entry point for installing malicious apps, tampering with how the phone works and accessing sensors and resources like the phone’s GPS or camera was only the beginning of the fun with smartphone (in)security.

A separate report released by German researchers uncovered a defect in thousands of mobile applications, which could leave billions of users’ personal information at risk.

According to the report, there were 56 million items of unprotected data in the applications studied, included social networking, messaging, medical, games and bank transfer apps.

How comforting.

“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, a member of the team who discovered the flaw, told Reuters. The research team hailed from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.

The issues lies in how apps store data online – and affected apps include some very big names.

“The root of the problem is in the authentication of users when their data is stored in online databases,” research team leader Eric Bodden explained.

Apps generally use services like Amazon’s Web Services or Facebook’s Parse to store, share or backup users’ data. Developers have options in those servces for protecting data – but the majority, for the sake of convenience, choose the default option, based on a string of letters and numbers embedded in the software’s code. That data token is easily broken, the researchers noted, and exploitable in a manner similar to the Heartbleed Bug.

The good news is that the German team found no evidence that any cybercriminals have tried to use the vulnerability — yet

And, this week, any good news is really good news, insofar as it isn’t bad news on the security front. Because rounding the trifecta of the mobile security fail this week is the revelation by an international team of academic researchers that the newest iteration of iOS and Mac OS X that found a set of weaknesses in the newest iterations of iOS and OS X that make it relatively easy to install malicious apps via Apple’s App Store – and then use said apps to steal sensitive personal data.

“We completely cracked the keychain service — used to store passwords and other credentials for different Apple apps — and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps,” said Luyi Xing, one of the report’s authors.

And as it turns out – Apple, never one to come in second, may have the dubious distinction of the scariest hack of the week, since so far no simple direct solution has been found for it as of yet.

The Flaw

So what has gone wrong with the latest round of Apple operating systems?

Researchers from Indiana University, Peking University and the Georgia Institute of Technology released an academic paper stating that they found they could use a malicious app to gain access to all kinds of interesting user data, as long as that app was approved for download by Apple’s App Store.

The team further noted they were able to bypass the app store security checks and by early 2015 had managed to get their attack app approved. The team ran an analyzer on more than 1,600 popular MAC apps and 200 iOS apps, and found that more than 88 percent of those apps were “completely exposed to” XARA attacks.

“Our malicious apps successfully went through Apple’s vetting process and were published on Apple’s Mac App Store and iOS App Store,” Luyi Xing told The Register.

Data that the team was able to access using the flaw included banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system’s keychain and secret iCloud tokens, and passwords from password vaults. Apple has reportedly been aware of the flaw since late 2014 – but the team agreed to hold off on public disclosure of the bug for six months.

No Easy Fix

The bad news with this particular flaw is that it seems to be baked into the DNA of the keychain system itself – and thus does not easily lend itself to a solution.

Google set about addressing the issue with Chrome fairly quickly, and removed Keychain integration for Chrome, reportedly claiming the issue cannot be solved at the application level. Digital security firm AgileBits has reportedly also been unable to find a way to ward off the attacks or even make the malware “work harder” in the four months it has been trying to solve the problem.

Nor does it seem there is an easy answer — a lengthy technical walk through on Apple Insider comes to the unfortunate conclusion that there may be no way to directly solve the issue discovered by researchers without massive “architectural alterations” to iOS and OS X.

The upside, however, is that while there is no easy way to remove this problem — it seems it may be avoidable for the vigilant mobile user. According to reports on 9to5Mac, the attacking software cannot yet get at the keychain entries directly. Instead, it forces users to log in manually and then grabs the credentials in a newly created entry.

This means users can be on the look out for any software that behaves unusually after being downloaded from the app store – particularly if one is being asked to login manually when the keychain would normally handle that function.

And, of course, standard security rules apply and so users are best served staying away from unknown app publishers.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.

1 Comment