Mobile applications may be dangerous

That’s a question that I have been asking myself for quite a while. How dangerous can a mobile application be? How can it be made more dangerous? Or less dangerous?

Here’s a grabbag from Internet today. First, the good side, with two Microsoft articles pointed by Bruce Schneier:

  • The first one is about the authorization dialogs that we face when an application, native or web-based, requires us to take a decision. I was discussing recently with a colleague the fact that these dialogs are sometimes very technical, and that most people are likely to take a decision based on the reputation of the developer or their envy to see the application work. The article is very interesting, and it outlines the interest of graphical interfaces, with icons. It also serves as a reminder that security is often about getting the user to understand what it is about.
  • The second one is a bit more specific, and looks at how we can allow an application to use device sensors, and in particular, cameras. Once again, the trick is to make sure that the user is aware of the use that an application makes of a sensor, in particular when it may violate the device owner’s privacy.

These works are interesting, and shows that Micrososft cares about them. However, since they are advanced research works and they are not very conclusive, they also show that the road to good security interactions is going to be long and bumpy.

On the bad news side, there seems to be a surge in fraudulent premium SMS’s (in French). This time, apparently, the fraudsters are sending a SMS that contains a URL, this URL points to a Web page that opens in a browser, and one of the links in this browser triggers the sending of a multimedia message to the victim’s mobile, which is billed 4,50€. I haven’t seen the thing directly, so I don’t get it directly. However, I am a bit curious of the code of this Web page, because I don’t know how a simple click can cost me 4.50€ without me entering any data, and without a direct link to my operator.

Maybe that the solution is in another piece of news. Orange is making some effort to attract developers with APIs, and these APIs seem to cover messaging among other things. However, looking at the definition rapidly, I did not find a way to bill the user.

All of this leads us to an interesting and potentially dangerous future. With BONDI and the like, the boundary between local and web-based applications is going to become very blurry, and all these applications will be able to use and abuse a lot of sensors and billing systems.

I think that I’m going to look into the static analysis of Javascript one of these days. And all this research in security user interfaces is really becoming important.


Leave a Reply

Your email is never shared.Required fields are marked *