The government is asking the IT sector to address security weaknesses in app stores used by millions to add functionality to their smartphones, tablets, and other internet-connected devices.
While apps provide a convenient way for consumers to download new features to their devices, research from the National Cyber Security Center (NCSC) has highlighted the risk of using scam apps that contain malicious malware created by cybercriminals, or bad apps. developed that can be compromised by hackers who take advantage of weaknesses in the software.
The UK app market is worth £18.6bn, but there are few rules governing the security of the technology or the online stores where the apps are sold. Attacks can occur through official app stores that are supposed to vet apps and third-party app stores, and where apps are downloaded directly to devices via unofficial or jailbroken backdoors device security measures.
“Devices and the apps that make them useful are becoming more essential to people and businesses, and app stores have a responsibility to protect users and maintain their trust,” said NCSC Chief Technical Officer Ian Levy. . “Our threat report shows that app stores have more to do, as cybercriminals are now using app store weaknesses across all kinds of connected devices to cause damage.”
While most apps are for mobile devices such as smartphones and tablets, the NCSC App Store Threat Report discussed a number of studies covering the weakness of app and app store security on Internet of Things (IoT) devices and PC and gaming console platforms.
One notable piece of research came from security researchers at North Carolina State University and Ruhr University Bochum, who in 2021 found that of the 90,194 Alexa skills they analyzed, 358 skills were capable of requesting information that should be protected by security. a permission application programming interface. (API).
While it is not known if this has been used for malicious purposes, the NCSC report noted that the lack of a permissions API could be a potential attack vector, with the ability to publish a skill under any developer name, going by stop permissions APIs and retrieving -Change final code after approval to trigger latent intents.
Samsung’s app store for its smart TVs is another example cited by the NCSC. In 2017, a security researcher revealed that he had discovered 40 zero-day vulnerabilities in Tizen, an operating system developed by Samsung for use in smart TVs, smart watches, and mobile devices. The most critical of the vulnerabilities affected the Tizen Store, the app store used on devices running Tizen. This vulnerability allowed remote code execution, through which the researcher was able to send malicious code to his Samsung TV, the NCSC warned.
The UK government has launched a call for views from the tech industry on enhanced security and privacy requirements for app stores and app developers. Under the new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out basic security and privacy requirements. The proposed code would require stores to have a vulnerability reporting process for each app so that flaws can be found and fixed faster. They would need to share more security and privacy information in an accessible way, including why an app needs to access a user’s contacts and location.
“Apps on our smartphones and tablets have improved our lives immensely, making it easier to bank and shop online and stay in touch with friends,” said Cyber Security Minister Julia Lopez. “But no app should put our money and data at risk. That’s why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”