• Total Posts: 28017
  • Total Topics: 8050
  • Online Today: 790
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: Poor Mobile App Back-End Security Coding Puts Consumer Info at Risk  (Read 220 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 710
  • KARMA: 114
  • Gender: Male
  • Pez
Poor Mobile App Back-End Security Coding Puts Consumer Info at Risk

Mobile apps are convenient and easy to use, but sometimes the developers do not put enough focus on the back end. Big Internet companies, such as Amazon, Facebook, and Google, provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.

Earlier this year, McAfee Labs teamed up with Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of two million mobile apps. We found that they are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.

According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise someone with minimal technical knowledge can readily extract the key and read, update, or delete records.

Ironically, some malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. We analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.

We decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents used the back-end service to queue up and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.

During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 malware commands were executed during this time, mostly for financial fraud.

By counting the number of unique device identifiers in the malware data store in the back-end service, we determined that almost 40,000 users were affected by these two Trojans.

The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is very difficult to know how secure a particular app’s back-end implementation, we recommend that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.

For more information on mobile app vulnerabilities, please visit

Original article:
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising