Shared Code Creates Opportunity for Hackers, Expert Warns

Some app developers may not be malicious, just careless. But that's an important distinction when a federal employee uses a smartphone to access sensitive information.

by Kate Patrick, InsideSources.com / March 5, 2019
Shutterstock

(TNS) — State-sponsored hackers may or may not compromise hardware in the U.S. technology supply chain, but one cybersecurity firm says compromised software is definitely a national security risk — especially on mobile phones.

Smartphone applications often share code, and most apps aren’t vetted before they go to market, so it can be very easy for hackers to use apps to steal a user’s personal, private, or even top secret information, according to Tim LeMaster, director of systems engineering at Lookout, a mobile security company.

“A major concern tends to be software coming into the supply chain,” LeMaster told InsideSources. “That threat could come from people trying to compromise the source of the code.”

LeMaster said app developers often use open source code libraries to make new apps, which can create a huge risk to smartphone users, especially federal employees using smartphones.

“Very few applications are built from scratch by the developer,” LeMaster said. “Almost all apps share a code and pull from open source libraries and other sources, and a lot of times there is little validation of the code done to build that application. If I have an application that allows me to do document signing, I download it from the App Store, I really don’t know much about it, and the employers in many cases doesn’t know much about it either. When you plug in your phone at night, half a dozen apps update themselves and change, and you don’t know how they changed, and you don’t have visibility into that.”

Malicious or weak code can lurk in those open source code libraries. Some app developers may not be malicious, just careless. But that can make a world of difference to a federal employee using his or her smartphone to access sensitive information.

“Most of these apps are trying to monetize themselves through your data — so they embed advertising ACKs (Acknowledgement Codes),” LeMaster said, “and sell that information to other advertisers. We often find apps that have the ACKs and they’re too promiscuous about how they collect information. There’s concern about how that data is protected.”

Lookout isn’t the only one making these observations. Global cybersecurity firm Crowdstrike noted an uptick in mobile malware in its 2019 Global Threats Report, released Feb. 19, specifically from Iran.

Crowdstrike also noticed hackers use mobile malware combined with “mineware” — a virus used to mine cryptocurrency — on the rise as early as 2018.

“In April 2018, Google announced that Chrome extensions containing mineware would be banned from the Chrome Web Store,” according to the report. “Two months later, Apple also updated its guidelines for iOS applications to prevent the inclusion of cryptocurrency mining code.”

Sometimes all it takes is a poorly coded app for a hacker to infiltrate a smartphone, which prompts national security concerns.

“Hardware concerns in the supply chain are completely valid, and the government has done a lot to address that, but I think software risk is of equal concern,” LeMaster said. “Agencies recognize that concern as well. It could just be poor coding practices in the software or malicious intent, vulnerabilities, weaknesses — there’s lots of ways the software supply chain can get compromised. It could just be the developer didn’t have security in mind.”

©2019 InsideSources.com, Washington, D.C. Distributed by Tribune Content Agency, LLC.