Giancarlo Pellegrino

Giancarlo Pellegrino

A team of cyber security researchers from the CISPA Helmholtz Center for Information Security in Saarbrücken, Ohio State University and New York University has discovered that many mobile apps are hiding special functions from users that can allow hackers to compromise users’ and mobile app infrastructure security.

In a large-scale study, a team of cyber security researchers, including CISPA-Faculty Giancarlo Pellegrino, identified severe security issues in several mobile phone apps. These are not typical vulnerabilities that were inadvertently introduced by the programmers. “These problems look very intentional. Many of these functionalities that are hidden or covert to the user,” explains Pellegrino. “They allow others to access private data or block content provided by users”.

150,000 apps were evaluated for this study. The 100,000 most downloaded apps from the Google Play Store were examined. In addition, the 20,000 most downloaded apps from an alternative app store and 30,000 pre-installed apps on various Android smartphones were also included.

The research team found that 8.5 percent of the apps (12,706 apps) contained something that could be described as a “backdoor secret”. “In other words, functions of the mobile apps that are hidden from users and can be activated with special sequences or actions,” explains Pellegrino. The researchers also found that some apps have built-in “master passwords”. These allow anyone who has them to access the app and any private data it contains. Some apps, in turn, have secret access keys that trigger hidden options. “Among the other things, we also found administrator interfaces that can be activated with secret sequences of keys to bypass payments”, Pellegrino explains and added. “These are not easter eggs, but functionalities that can override expected security mechanisms. For example, we found apps that allow to unlock data with a master password that is hardcoded in the app.”

“Both users and developers are all at risk if criminals get hold of these ‘backdoor secrets,’” says Ohio State University Professor Zhiqiang Lin in an elaborate article on the university’s website, The Ohio State University News. Attackers could reverse-engineer the mobile apps to decrypt them.

Qingchuan Zhao, research assistant at Ohio State and lead author of this study, said developers often mistakenly assume that reverse engineering their apps would not pose a threat.

The team also found another 4,028 apps (2.7 percent) that blocked content with certain keywords subject to censorship, cyberbullying or discrimination. The researchers were not surprised that apps could restrict certain content. The way they did it, however, was, Professor Lin explains in the detailed report on the university’s homepage. “We also found apps enforcing censorship, where specific list of words, e.g., political parties or political figures are forbidden to be used in text”, says Pellegrino.

The research team has developed an open source tool called InputScope, which is designed to help developers understand vulnerabilities in their applications and show that the reverse engineering process can be fully automated.

Other authors of this work are Chaoshun Zuo, also Ohio State, and Brendan Dolan-Gavitt, New York.

The study was accepted for publication at the IEEE 2020 Symposium on Security and Privacy in May. Due to the coronavirus pandemic (COVID-19), the conference has been moved online.

Giancarlo Pellegrino

Giancarlo Pellegrino