The race is on to crack a popular mobile app that has (perhaps idiotic) access to your personal information (contacts) and release the contacts list of millions of people. (Tangentially, it might be a very interesting data set to analyze. Consider building analysis tools ahead of the inevitable leak.)
The attack could be done by an inside job (hacking the app development process), or some hijacking / code injection vulnerability in the app. For example, the app normally contacts an internet site to download information pertinent to the app. Hijack the site to return poisoned information which injects code to read and release every phone's contact list.
We need better ways of preventing such attacks. The ability to forbid access to privileges even if an app asks for it (Android) would be a good first step. Another might be, if an app reads private information, it loses the ability to store state or access the internet.
No comments :
Post a Comment