Just imagine what would happen if cell phones were affected by malware as much as PCs and organizational web sites. There are more than 34 million devices in use globally and according to some estimates, a massive amount of devices are coming to market with many different patch levels. When it comes to mobile applications, you don’t have a malware problem, you have an adversary problem, this according to Adam Meyers, Director of Intelligence at CrowdStrike, a mobile app reverse engineer.
Reverse engineering apps help penetration testers understand how the app works and discover weaknesses that can be used by cybercriminals in a real-world attack. Enterprises that are risk averse may set up their own mobile app store to give employees approved applications that have been vetted and white listed for use on their Smartphone or tablet devices. Meyers said that although mobile malware is just beginning to emerge, plenty of cybercriminals are working to find ways to get malware to live inside the platform’s kernel. “Detection and prevention is very difficult to do,” he said, because security software is restricted by manufacturers. Several applications provide a basis for future attack types. A flashlight app that surfaced in the Apple iTunes store contained a hidden feature giving users tethering capabilities. Apple makes it especially difficult for reverse engineers because it uses FairPlay, a digital rights management (DRM) technology created for songs as the same mechanism to protect app files, Meyers said. A mobile application called Dog Wars surfaced at the time football star Michael Vick faced legal troubles over his role in underground dogfights. The app contained malicious Java functionality that sent a text to everyone in the user’s contact list saying that the user hates animals. The app was designed by the animal care advocate organization, PETA. If an organization like PETA can accomplish this, just imagine what a skilled team can do.
For more info, read this article by Robert Westervelt and more at Search Security.