Imagine a scenario in which a game X installed on your mobile device wants to access your account information from social network Y. Assume that Y exposes some API, and have features like "login with Y" etc. On desktop PC X could popup new browser window, with domain of Y clearly shown in address bar, with a padlock icon clearly indicating SSL connection, and in this popup, social network Y would ask user to provide login, password, and agreement to pass some information (like name, avatar, e-mail) to the application X. For example OAuth 2 uses this approach.
In my opinion, on mobile the situation is in rather different, as application X can take control of whole screen. In particular it can draw on the device's screen something that is indistinguishable from a real browser and hijack login and password provided by user.
How one can combat malicious applications which cover whole screen and pretend to be browsers, or even OS's settings windows etc?
Netcraft's mobile protection app for Android and iOS devices makes use of Netcraft's industry-leading malicious site feeds to instantly block access to phishing sites discovered by Netcraft. Over 158 million unique phishing sites have been detected and blocked by Netcraft's system to date [September 2022] .
There is no technological defense against this even on the desktop. It's trivial to mimic the look of a browser and draw a green SSL lock into a fake address bar. Or you can simply include a key logger with your application to get passwords entered any application on the same system.
For mobile applications including a key logger is harder. Drawing convincing fake browser window is easy. An additional defense is the review process of an app store. An official app store as the only source of trusted apps mitigates problems like this to a certain extent. While malicious apps can slip through any review process, they can be removed once they are discovered.
How about: double-click the home button so you see the app names?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With