Mobile app secrets pose a security threat to end users and developers.

There are newly discovered behaviors and secrets in many mobile apps that end users don’t know about which can be used to access private information.

A cybersecurity team at Ohio State has been doing research regarding the ways private data could be accessed in mobile applications. An article from EurekAlert reveals that the group uncovered “backdoors” that hackers could use as a way into apps containing personal information. Other hidden behavior includes blocking content that is considered sensitive or inappropriate.

The cyber team selected 150,000 apps from multiple mobile markets and found the “backdoor secrets” in 12,706 of them. It is not a surprise that our private information can be hacked. What is surprising is that the developers of these apps allow these backdoors to happen and the end users have no knowledge of it. The hidden behaviors can be triggered by specific user inputs, like passwords or touch screen actions. Reverse engineering allows hackers to uncover these behaviors and use them to their advantage. In order to prevent this, developers have to cover all their bases when it comes to user-input validations. According to Qinqchuan Zhao, a graduate assistant, developers do not worry about the possibility of reverse engineering because it does not seem plausible enough as a risk.

Besides just hacking into private information, over two percent of the apps use specific inputs to limit content. The shocking part is that the content is “validated locally, not remotely”. Users could be unaware of the certain keywords that are banned from apps and social media platforms, resulting in having their content modified or deleted, or their accounts suspended. Most of us know the general topics forbidden on websites like Facebook and Instagram, but there are many more forbidden actions that are not as widely known.

To help combat these issues, the research team developed an open source tool called InputScope. The goal of the tool is to assist developers in spotting vulnerabilities in their apps, as well as illuminating the possibility of reverse engineering as a way into their backdoors. This year the study will be published by the 2020 IEEE Symposium on Security and Privacy in May.


Read more about this topic at the American Association for the Advancement of Science’s site EurekAlert.

To find more interesting IT articles, visit our blog.