Crap ad app hack hole affects '100 MEELLLION'
Advertising network library runs any old code it's given, conf audience told
RSA 2015 Two security bods reckon a software library used by popular apps exposes up to 100 million people to smartphone-hijacking hackers.
NowSecure's Andrew Hoog and Ryan Welton claim a library called Adlibr executes code downloaded from servers without verifying whether or not the material has been tampered with in transit – allowing a man-in-the-middle to intercept the download and inject malware into phones and tablets.
AdLibr is used by several apps to deliver ads to handhelds' screens: it claims it gets 27 million ad clicks a month across its network.
“The vulnerability allows an attacker to get complete control over the device … about 100 million people have this installed on their devices right now,” Hoog told the RSA security conference in San Francisco today.
“File integrity is not checked before it executes. At this point it's trivial to exploit a privilege-escalation bug to pull data from all other apps.”
In a live demo, Welton showed how attackers could hijack an app that uses the vulnerable library: chat robot SimSimi – which has been installed more than 10 million times – was apparently exploited to access the phone's SD card, contacts, and photos.
The pair of researchers said AdLibr's South Korean authors did not respond to their private disclosures of the alleged flaws, and have not issued a patch. The Register was unable to reach AdLibr's makers for comment at time of publication.
Separately, Hoog and Welton found during tests of 62,000 apps that each became more insecure as their popularity grew. Welton said this is likely due to developers' focus on features over security as they become caught up with the cutthroat competition between top apps.
“You'd expect a bigger app and bigger company would have a bigger focus on testing, but what we found was the exact opposite,” Welton said. “As apps become more popular, developers are probably spending more time on features and trying to beat their competitors.”
The researchers' stats showed that three quarters of the top apps with install rates between five to ten million contain vulnerabilities; pairing the two metrics lays waste to the theory that users could reduce risk by sticking to popular software.
Hoog says the mobile app space is so bad they could find vulnerabilities that “basically affect billions of people.” They added that, of the tested apps, 36 percent and 23 percent have at least one world-readable and one world-writeable file, respectively; 12 percent leak IMEIs that uniquely identify a gadget; five percent dribble MAC addresses; and four percent allow arbitrary file writing over the network.
While the findings marry up with much security research into mobile apps, Android kingpin Google says few published exploits result in real-world attacks. Google staff think security defenders may win the exploitation battle.
The duo urged app developers to test each version of their software for vulnerabilities, and avoid being part of the growing insecurity problem.
“Look at what apps you install,” Welton said. “Recognize the apps that are driving risk. And if you are building apps, testing is a must. Invest in mobile security because your developers aren't going to know how to do this out of the gate.”