The researchers of Cyber Security have recently disclosed a big secret about mobile application’s security loopholes. The researchers have discovered that several mobile phones applications have ‘backdoor secrets’ that allows hackers to access your phone data. These security loopholes are some codes that are ‘hardcoded’ in applications.
What the Study Says:
“The apps on mobile phones might have hidden or harmful behaviors about which end users know little to nothing,” said by a study author Zhiqiang Lin from the Ohio State University.
To study the behavior of these apps the team evaluated 150,000 apps and selected 100,000 among them on the basis of downloads from Google Play Store. Furthermore, in their study the researchers found 12,706 apps suspicious having “backdoor secrets” as hidden behaviors within the app that accept certain types of content to stimulate behaviors.
They also found that some of the apps having buit-in “master-code” which can allow accessing the app and its private data within it through this code. Likewise some apps had secret access keys that could trigger hidden process that includes bypassing transaction.
Lin said that “Both users and developers are all at risk if a bad guy has obtained these ‘backdoor secrets’ in cyber security. In fact, motivated attackers could reverse engineer the mobile apps to discover them”.
According to the study, the app developers have wrong assumption about reverse engineering. Instead they think toward their apps that they don’t have a legitimate threat.
According to the lead author Qingchuan Zhao- “A key reason why mobile apps contain these ‘backdoor secrets’ is because developers misplaced the trust,”
To keep secure their apps, developers need to give some security validations to restrict the unwanted inputs from users and forced input from outside. Thus, in this way they can achieve the security guarantee.
The research team has developed and open-source tool called ‘InputScope’ that will help application developers to understand the flaws and weak points in their apps. This will be helpful to demonstrate the reverse engineering for being fully automated.
The above mentioned study has given for publish. The 2020 IEEE Symposium on Security and Privacy has accepted this study for publication in May-2020. But due to coronavirus (COVID-19) outbreak globally, the conference has been moved online.