Smarthphone apps have 'backdoor secrets' for hackers: Study

A large number of cell phone applications contain hardcoded secrets allowing others to access private data, according to a study that may lead to new measures to improve smartphone cybersecurity.

According to the study, accepted for publication by the 2020 IEEE Symposium on Security and Privacy, apps on mobile phones may have hidden or harmful behaviours about which end users know little to nothing.

Researchers, including Zhiqiang Lin from the Ohio State University in the US, said mobile apps generally engage with users by processing and responding to user input.

Citing examples, Lin said, to prompt an action on their phones, users often need to type certain words or sentences, or click buttons, and slide screens.

In the study, the researchers evaluated 150,000 apps: 1,00,000 based on the number of downloads from the Google Play store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones.

They found that 12,706 of those apps contained something the scientists called "backdoor secrets" -- hidden behaviours within the app that accept certain types of content to trigger behaviours unknown to regular users.

The researchers also found that some apps have built-in "master passwords," which allow anyone with that password to access the app, and any private data contained within it.

And some apps, they said, had secret access keys that could trigger hidden options, including bypassing payment.

"Both users and developers are all at risk if a bad guy has obtained these 'backdoor secrets,'" Lin said.

Motivated attackers could reverse engineer the mobile apps to discover them, he added.

Developers often wrongly assume reverse engineering of their apps is not a legitimate threat, added Qingchuan Zhao, another co-author of the study from the Ohio State University.

"A key reason why mobile apps contain these 'backdoor secrets' is because developers misplaced the trust," Zhao said.

To truly secure their apps, he said, developers need to perform security-relevant user-input validations and push their secrets on the backend servers.

"On many platforms, user-generated content may be moderated or filtered before it is published," Zhao said, adding that several social media sites, including Facebook, Instagram and Tumblr, already limit the content users are permitted to publish on those platforms.

"Unfortunately, there might exist problems -- for example, users know that certain words are forbidden from a platform's policy, but they are unaware of examples of words that are considered as banned words and could result in content being blocked without users' knowledge," he said.

"Therefore, end users may wish to clarify vague platform content policies by seeing examples of banned words," Zhao added.