Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered.
With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users.
Set to discover such behaviors, researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security came up with a tool that can detect “the execution context of user input validation and also the content involved in the validation,” thus finding any secrets of interest.
Called INPUTSCOPE, the tool was then tested with more than 150,000 Android applications from Google Play (the top 100,000 apps from the storefront), an alternative market (20,000), and pre-installed on devices (30,000 apps extracted from Samsung smartphones’ firmware).
“We find that input validation in mobile apps can be used to expose input triggered secrets such as backdoors and blacklist secrets, and that input-dependent hidden functionality is widespread in Android apps,” the researchers say in their whitepaper (PDF).
The research uncovered 12,706 applications (8.47%) with backdoor secrets (secret access keys, master passwords, and secret commands providing access to admin-only functions), and 4,028 apps (2.69%) that contain blacklist secrets (they would block content based on keywords subject to censorship, cyber bullying or discrimination).
INPUTSCOPE has revealed access keys that provide access to applications’ admin interface (allowing configuration changes that are not available to regular users), that allow the recovery or reset of regular users’ passwords, or that can be used to purchase in-app advanced services for free.
Additionally, the research identified hundreds of master passwords, as well as secret comm ..
Support the originator by clicking the read the rest link below.
