The number of mobile devices on a global scale surpassed the combined world population years ago. Statista data shows that in 2016, the global smartphone shipments were about 1.5 billion units, and it is expected that this number will increase to 1.71 billion by 2020; by 2018, the total number of global mobile phone users will reach 2.53 billion person-time—— 1/4 of them are from China.
In China, with the continuous extension of mobile Internet technology in various fields in recent years, the number of APP applications has begun to show a blowout development trend, and a series of security loopholes have gradually emerged.
Security risks brought by APP applications
The APP application market is very large. For the APP market of the two major operating systems, IOS and android, it is difficult to estimate the scope of users involved. At present, the two major mobile system platforms are facing similar security risks:
Android APP security situation is urgent
Due to its open source nature, Android APP firmly occupies the first position in the mobile system in China. Since users, as the final user, are often more concerned about the functionality and usability of the application, security is often difficult to experience intuitively, plus Lack of professional knowledge to identify and detect has become the least important factor in use, but developers generally lack optimism about the security status of mobile APPs.
In a recent safety evaluation, an institution selected 892 popular apps on the Android platform in eight categories, including finance, shopping, medical care, social networking, gaming, entertainment, transportation and travel, and life services, as samples to target the existence of mobile apps. The assessment of security risks and vulnerabilities found that 65% of the mobile apps tested had at least one high-risk vulnerability, with an average of 7.32 vulnerabilities per app; entertainment mobile apps were the hardest hit by security vulnerabilities, and every 10 entertainment mobile apps had at least one high-risk vulnerability. Nine of them contain at least one high-risk vulnerability; and as many as 88% of financial apps have memory-sensitive data leaks.
From the user's point of view, the survey found that as many as 70% of users do not know whether they have encountered personal information leakage due to mobile APP security vulnerabilities. However, the existence of Android APP vulnerabilities will bring real risk losses to many users, such as a new Android APP security vulnerability that has been exposed before: "Parasitic Beast" - Using this vulnerability, attackers can directly implant in users' mobile phones Trojans can steal users' personal privacy such as text messages and photos, and even steal account passwords such as banks and Alipay.
Is the IOS system really safe?
Although Apple claims to have its own operating system, and because of the closed nature of the system, the security is strong, but it has not been spared in terms of APP security vulnerabilities. As early as 2014, Ariel Sanchez, a researcher at IOActive Labs, a foreign research institution, tested 40 mobile banking apps on Apple's iOS platform. The results show that almost all of these apps do not implement basic security protection measures, and security breaches may appear at any time.
While the iOS system provides users with more security protection and privacy protection strategies, vulnerabilities against the iOS system also show an increasing trend year by year. In the past year, Apple has successively released 12 iOS version (current version number is 10.3.3) updates, a total of 338 security vulnerabilities have been fixed, including 30 kernel vulnerabilities, 106 Webkit code execution vulnerabilities, many of which are high-risk The complete exploit code of the vulnerability has been disclosed, which can directly obtain the highest authority of the system, which seriously threatens the security of users.
Apple's developer website shows that since its release in September 2016, 87% of iOS users worldwide have upgraded to iOS 10, but no specific version distribution is given. However, as mentioned above, untimely updates of minor versions will still cause serious security threats.
Table 2. Statistics on release time and number of bug fixes for each version of iOS 10
The beneficiaries behind APP security vulnerabilities
Behind these endless APP risk and vulnerability incidents, are there any groups in the industry chain that benefit?
We know that a complete APP ecological life industry chain involves links and factors such as developers, mobile phone manufacturers, application promotion and operation service providers, mobile advertising and application markets. There are many black industry chains that rely on APP risks and loopholes to profit. The source of power is: profit-driven.
Hai Yun'an's analysis believes that behind the existence of APP security vulnerabilities, there are three types of groups in the game of interest chain:
1. Some APP outsourcing development service providers
The rapid rise of APP has prompted a large number of APP development needs in the market. Considering the cost, most companies often choose to outsource to obtain the required APP applications. Since Party A does not pay special attention to security issues, As a result, development companies will not invest too much cost and energy in security development operations. After all, it is Party A's company that ultimately pays the bill, which leads to security problems that are prone to occur.
In addition, many outsourced development service providers often use APP loopholes directly to obtain some core development codes and elements of the target APP for the sake of cost reduction and rapid development and delivery, and carry out rapid imitation development at a very low cost. This kind of utilitarian thinking factor has also caused developers to be “alien” about the security issues of APP vulnerabilities, and some developers will even directly embed some viruses and malicious programs in the APP, and obtain them after malicious dissemination. profit.
2. Packing Party
Someone once disclosed that at the peak of the Packing Party, a team of 10 people could make a net profit of 1.5 million yuan from virus packaging within a month, that is, a monthly net profit of 150,000 yuan per person.
Packing parties are generally some individuals or small teams of developers who specialize in finding some popular applications, exploiting APP loopholes to crack them, and inserting some content they want to distribute after unpacking (such as adding viruses, advertising chains, or malicious programs such as fee-absorbing instructions). ), and then reassemble and re-release these "secondary packaging" pirated software to the application market, and then you can sit firmly in the background and start the counting mode.
Packing party is a typical beneficiary of exploiting APP loopholes, and it is a "black group" spawned by the security status quo of low APP cracking threshold and large number of risk loopholes. After the user is accidentally recruited, the loss is not only traffic, phone bills, but also immeasurable personal information.
3. Mobile Internet Information Black Production
As the channel of information interconnection gradually shifts to the mobile Internet, a large number of information black production industry chains have also begun to transition to the mobile Internet field.
Most of the mobile hacks are implemented by exploiting a large number of risk vulnerabilities in the mobile APP system, by breaking and hijacking the front-end of the application, and cooperating with attacks on communication and back-end servers. Compared with the traditional off-base attacks, the mobile hacks are more The implementation focuses on sensitive information such as mobile payment and personal property. At the same time, the attack is very hidden and difficult to detect, which brings a great threat to the healthy operation of enterprise mobile business.
Hai Yun'an's mobile information security engineer believes that the current common mobile hacks are mostly exploiting APP loopholes, implanting virus Trojan horses to kidnap to become "broilers" and become zombie apps, and then carry out traffic + data hacking behaviors, implement fraud and generate A large amount of invalid activation data. At the same time, the traffic distribution behaviors of illegal applications such as "deducted yellow gambling" and "Trojan virus", as well as stealing doors, wool parties, etc. are also mostly realized by using loopholes to hijack or repackage applications, which shows the security of mobile APPs. Loopholes are undoubtedly the "sweet pastry" in the eyes of black industry practitioners.
Among them, a large number of users' personal sensitive information illegally obtained are then resold through other channels to many intermediary markets such as lending, real estate, education, etc. for telemarketing bombing, or further telecommunications fraud.
For the mobile black industry practitioners, why not do it if an industry chain is down with multiple benefits and steady profits without losing money?
Offensive and defensive security, how to deal with it correctly?
Just like the two sides of a mirror, with the rise of every new industry, there will inevitably be a corresponding "black and gray industry chain". For enterprises aiming to take advantage of the mobile Internet to seek rapid development, how to deal with the emerging mobile security risks and vulnerabilities and the ensuing business attacks is the only way to pay more attention to prevention and actively respond to this.
It is worth noting that, with the continuous enrichment of attack methods, the relevant security vulnerabilities of APP are no longer limited to the previous decompilation. According to the mobile information security engineer of Haiyun'an, "APP risk vulnerabilities have gradually extended from the original single application software vulnerabilities to communication protocol vulnerabilities, network interaction protocol attacks, network agents, reverse fraud and other security series covering the entire mobile business system. Vulnerabilities. So when it comes to proactive responses, a single security defense might not be smart enough.”
From the perspective of the security of the entire mobile business, an enterprise can only be regarded as a practical and effective security strategy if it adopts an integrated security protection covering the entire mobile business system.
Haiyunan: A professional mobile information security service provider in China, with many industry-leading security technology products and expert-level integrated security technology service solutions, it provides services for WeBank, Ping An Bank, Evergrande Group, Rainbow Group, SF Express Yun and many other well-known financial institutions, governments, large and medium-sized enterprises and institutions provide mobile security protection solutions, and at the same time provide professional technical support services for many authoritative security agencies such as the State Information Center, the Ministry of Public Security, the State Administration of Work Safety, etc. .