You are here: Home » PTI Stories » National » News
Business Standard

Smarthphone apps have 'backdoor secrets' for hackers: Study

Technology Internet

Press Trust of India  |  New York 

A large number of cell phone applications contain hardcoded secrets allowing others to access private data, according to a study that may lead to new measures to improve smartphone cybersecurity.

According to the study, accepted for publication by the 2020 IEEE Symposium on Security and Privacy, apps on mobile phones may have hidden or harmful behaviours about which end users know little to nothing.

Researchers, including Zhiqiang Lin from the Ohio State University in the US, said mobile apps generally engage with users by processing and responding to user input.

Citing examples, Lin said, to prompt an action on their phones, users often need to type certain words or sentences, or click buttons, and slide screens.

In the study, the researchers evaluated 150,000 apps: 1,00,000 based on the number of downloads from the Google Play store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones.

They found that 12,706 of those apps contained something the scientists called "backdoor secrets" -- hidden behaviours within the app that accept certain types of content to trigger behaviours unknown to regular users.

The researchers also found that some apps have built-in "master passwords," which allow anyone with that password to access the app, and any private data contained within it.

And some apps, they said, had secret access keys that could trigger hidden options, including bypassing payment.

"Both users and developers are all at risk if a bad guy has obtained these 'backdoor secrets,'" Lin said.

Motivated attackers could reverse engineer the mobile apps to discover them, he added.

Developers often wrongly assume reverse engineering of their apps is not a legitimate threat, added Qingchuan Zhao, another co-author of the study from the Ohio State University.

"A key reason why mobile apps contain these 'backdoor secrets' is because developers misplaced the trust," Zhao said.

To truly secure their apps, he said, developers need to perform security-relevant user-input validations and push their secrets on the backend servers.

"On many platforms, user-generated content may be moderated or filtered before it is published," Zhao said, adding that several social media sites, including Facebook, Instagram and Tumblr, already limit the content users are permitted to publish on those platforms.

"Unfortunately, there might exist problems -- for example, users know that certain words are forbidden from a platform's policy, but they are unaware of examples of words that are considered as banned words and could result in content being blocked without users' knowledge," he said.

"Therefore, end users may wish to clarify vague platform content policies by seeing examples of banned words," Zhao added.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Wed, April 01 2020. 16:52 IST