Researchers demo 92% success rate in hacking smartphone apps

The vast mobile applications ecosystem, enabled by the ability of apps to run on a shared smartphone infrastructure or operating system, has created open doors for hackers that want to obtain personal information from mobile device users. And the threat is believed to extend across Google (NASDAQ: GOOG) Android, Apple (NASDAQ: AAPL) iOS and Microsoft (NASDAQ: MSFT) Windows operating systems, according to a group of university researchers.

The research team demonstrated their hack of an Android phone and reported their method was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested. Easily hacked apps included Gmail, Chase Bank and H&R Block. Amazon (NASDAQ: AMZN), with only a 48 percent hack-success rate, was the only app tested that was difficult to penetrate, the researchers said.

Researchers show how an attack happens in the H&R Block app. (Source: YouTube)

A paper detailing the hack was written by are Zhiyun Qian, of the Computer Science and Engineering Department at the University of California Riverside; Z. Morley Mao, an associate professor at the University of Michigan; and Qi Alfred Chen, a Ph.D. student working with Mao. They presented their findings on the hack, which requires a user to unwittingly download a malicious app, during the 23rd USENIX Security Symposium in San Diego, Calif.

Though their hack method was demonstrated on Android, the researchers said it should work on other operating systems because they have in common what is described as a newly discovered public side channel--the shared memory statistics of a process, which allows processes to share data and can be accessed without any privileges.

"The assumption has always been that these apps can't interfere with each other easily," Qian said. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

Qian suggested users avoid installing untrusted apps but also indicated OS designers should eliminate side channels or more explicitly regulate them.

For more:
- see this release
- see the videos

Related articles:
Hacked traffic lights highlight perils within the Internet of Things
Kaspersky Labs warns social networks are dangerous territory for mobile users
Tripwire researcher takes on Wi-Fi Pineapples, security weaknesses
SensePost's Snoopy drone highlights pitfalls of constant connectivity
Apple iOS apps may be fooled, redirected via public Wi-Fi