Mobile apps come under the security microscope as research groups report major vulnerabilities.
This is turning out to be the week you learned your smartphone apps can be exploited by hackers. Three separate research groups revealed app security flaws that could turn Apple and Samsung devices into cyberintruders’ playthings — allowing them to take control of your phones’ cameras, microphones and GPS while stealing all your personal information and listening to your phone calls.
The only good news is that the attacks would have to be aimed at specific phones, and attackers are unlikely to target everyday people. The really, really bad news? German researchers last month found flaws that could affect every phone.
That’s right: there’s a vulnerability for everyone.
A flaw in the Swift keyboard that comes preinstalled on Samsung devices could leave 600 million phones vulnerable, security company NowSecure said Wednesday. The keyboard can’t be uninstalled, and replacing it with another keyboard app won’t fix the problem.
Researchers at Indiana University found that iOS apps containing malware could easily get past Apple’s scrutiny and onto its App Store.
Feeling cocky because you don’t use a Samsung or an iPhone? A team of researchers at the Fraunhofer Institute for Secure Information Technology and the Darmstadt University of Technology in Germany found that a host of apps available for all phones use faulty security protocols that could compromise your personal data.
For its part, Samsung has said it will roll out security updates in the next few days to repair the keyboard problem. Apple did not immediately respond to a request for comment on the Indiana University research.
The German research — which a Colombian software developer was able to reproduce, according to Reuters — revealed that many major apps do a poor job securing usernames and passwords. The research found 56 million unsecured data sets that included consumers’ personal information, according to a statement from the Fraunhofer Institute.
“The researchers found email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated,” spokesman Oliver Kuch said in a statement last month.
Ryan Disraeli, a cofounder and vice president of fraud services at security company TeleSign, said the reality isn’t as dire as these reports suggest. Yes, attacks could happen, but “they’re not necessarily random attacks that will just hit anyone. There’s certainly targeted attacks on people who are valuable to hack.”
So ask yourself, are you a celebrity? A CEO? A contractor with access to superclassified government documents (hello, Edward Snowden)?
If not, hackers would probably need some other really good reason to attack your smartphone, Disraeli said.
Consumers should also ask themselves what, specifically, hackers might want from them. “Nobody cares about hacking photos from my phone,” Disraeli pointed out. “They want a celebrity.”
Correction, 5:06 p.m. PT: An earlier version of this story misstated Ryan Disraeli’s job title. He’s a co-founder and vice president of fraud services at TeleSign.