Fortify warns that smartphone app developers must embrace secure code development strategies
March 2010 by Fortify
Fortify Software has warned that developers of applications (apps) for smartphones such as the Apple iPhone and Google Android must embrace the principles of secure code development, otherwise the integrity of users’ mobile phone data could be seriously at risk.
The warning from the software security authority comes after researchers at Rutgers University in the US have developed a proof-of-concept rootkit capable of compromising most aspects of a smartphone.
"The researchers have developed a full-blown hacker code methodology that allows all the features of a smartphone - including its microphone, global positioning system and even the battery - to be totally and utterly turned over to a hacker’s control," said Richard Kirk, Fortify’s European director.
"And just like a compromised desktop PC, all the operations of the hacked smartphone can be used for all manner of hacking purposes, including data theft, botnet swarming, distributed denial of service attacks and even remote automated mass hacking of critical national IT systems infrastructures," he added.
According to Kirk, whilst rootkits have been known about since the 1990s, secure code development strategies have evolved to ensure that desktop systems software cannot normally be compromised by this type of hackery.
But smartphone code developers, owing to the relative youth of their industry, have had no similar pressures imposed on them, as smartphones have always been viewed as a less powerful computing option.
All that changes, he explained, with the evolution of rootkits for smartphones, as it means that hackers can assume control over a handset that is every bit as powerful as a computer of just a decade ago.
Fortify general manager Kirk argues that, just as PCs of the early 2000s could cause havoc on the Internet, so to do infected smartphones pose an equally serious security threat.
Using the rootkit, Kirk says that the Rutgers scientists have been able to remotely turn on the smartphone’s microphone and so eavesdrop on nearby conversations.
And, he noted, since the rootkit can also send a phone’s location back to remote hackers, this GPS information can be used to remotely track a handset almost anywhere there is cellular or WiFi coverage.
"As the Rutgers University scientists say - ’as the population of mobile devices increases, there will be an increasing interest in attacking these devices’ - this means there is a rising security risk from operating system-driven smartphones," he said.
"With hundreds of millions of these devices in active usage and the majority of them wirelessly connected, you can see the potential scale of the problem. Code developers must wake up to this pressing security issue and adopt secure code development practices, such as regular security testing, at the earliest available opportunity," Kirk added.