The government is urging the IT sector to address security vulnerabilities in app stores used by millions to add functionality to its smartphones, tablets and other devices connected to the Internet.
While apps provide a convenient way for users to download new functionality to their devices, research by the National Cybersecurity Center (NCSC) highlights the risk of using fraudulent apps that contain malicious software created by cybercriminals or poorly designed apps that may be compromised by hackers exploiting software vulnerabilities.
The UK app market costs £ 18.6 billion, but there are a few rules governing the security of technology or online stores where apps are sold. Attacks can occur through official app stores that are supposed to check apps and third-party app stores, and where apps are downloaded directly to devices via informal back doors or by escaping from prison device security measures.
“The devices and applications that make them useful are increasingly important to people and businesses, and application stores have a responsibility to protect consumers and maintain their trust,” said NCSC Technical Director Ian Levy. “Our threat report shows that app stores can do more, with cybercriminals currently using vulnerabilities in app stores on all types of connected devices to cause harm.”
While most applications are for mobile devices such as smartphones and tablets, NCSC’s Threat report in the app store discussed a number of studies covering weaknesses in the security of applications and application stores for Internet of Things (IoT) devices and platforms for computers and game consoles.
One notable study comes from security researchers at North Carolina State University and Ruhr University in Bochum, who in 2021 found that of the 90,194 Alexa skills they analyzed, 358 skills were able to require information they needed. be protected by the API of the permission application.
Although it is not known whether this was used for malicious purposes, the NCSC report notes that the lack of a permission API can be a potential vector of attack, with the ability to publish a skill under any developer name, bypassing the permission API and back – changes in the final code after approval to trigger dormant intentions.
Samsung’s app store for its smart TVs is another example cited by NCSC. In 2017, a security researcher revealed that he had discovered 40 zero-day vulnerabilities in Tizen, an operating system developed by Samsung for use in smart TVs, smart watches and mobile devices. The most critical of the vulnerabilities affected Tizen Store, the app store used on Tizen devices. This vulnerability allows remote code execution, through which the researcher was able to pass malicious code to his Samsung TV, warned NCSC.
The UK government has invited input from the technology industry on improved security and privacy requirements for app stores and app developers. Under the new proposals, app stores for smartphones, game consoles, TVs and other smart devices may be asked to commit to a new code of practice setting out basic security and privacy requirements. The proposed code will require stores to have a process for reporting vulnerabilities for each application so that deficiencies can be detected and corrected more quickly. They will need to share more security and privacy information in an accessible way, including why an application needs access to the user’s contacts and location.
“The applications on our smartphones and tablets have improved our lives tremendously, making it easier to bank and shop online and keep in touch with friends,” said Cyber Security Minister Julia Lopez. “But no application should put our money and data at risk. That’s why the government is taking action to ensure that app stores and developers raise their security standards and better protect UK consumers in the digital age.