Smartphone apps need securing at the software development stages

The handsets could be hijacked using malware as they have now become as advanced as computers, say experts.

Researchers at Rutger's University have developed a proof-of-concept rootkit that can be ported to multiple smartphone operating systems such as the Apple iPhone plus Google Android, and allows hackers to remotely turn on the GPS function, as well as remote-enable the phone's microphone.

Rootkits – which has been around on PCs since the mid-1990s – are notable for masking their own existence on the computer, and can be installed via e-mails that trick users into opening attachments.

"Smartphones are essentially becoming regular computers'" said Vinod Ganapathy at Rutgers University in New Jersey. "They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack."

"What we're doing today is raising a warning flag," said fellow researcher Liviu Iftode. "We're showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defences", he added.

Fortunately for the many hundreds of millions of smartphone users around the world, the researchers concede it is much harder to slip rootkits into smartphones – which tend to have strict rules on non-approved code being installed.

According to Richard Kirk, European director with application vulnerability specialist Fortify Software, with the rootkit, the researchers have developed a full-blown hacker code methodology that allows all the features of a smartphone to be turned over to a hacker's control.

"And just like a compromised desktop PC, all the operations of the hacked smartphone can be used for all manner of hacking purposes, including data theft, botnet swarming, distributed denial of service attacks and even remote automated mass hacking of critical national IT systems infrastructures", he said.

Kirk added that desktop software secure code development strategies have evolved to ensure that desktop systems software cannot normally be compromised by this type of hackery.

But, he noted, smartphone code developers – owing to the relative youth of their industry – have had no similar pressures imposed on them, as smartphones have always been viewed as a less powerful computing option.

All that changes, he explained, with the evolution of rootkits for smartphones, as it means that hackers can assume control over a handset that is every bit as powerful as a computer of just a decade ago.

"As the Rutgers University scientists say – as the population of mobile devices increases, there will be an increasing interest in attacking these devices – this means there is a rising security risk from operating system-driven smartphones", said Kirk.

"With hundreds of millions of these devices in active usage and the majority of them wirelessly connected, you can see the potential scale of the problem. Code developers must wake up to this pressing security issue and adopt secure code development practices, such as regular security testing, at the earliest available opportunity", he added.

What’s Hot on Infosecurity Magazine?