BBC News builds data-stealing app for iPhones
BBC demonstrates that smartphone spyware-ridden application are easy to make
By Anh Nguyen | Computerworld UK | Published: 12:26, 10 August 2010
BBC news has created an application for smartphones that steals users’ data to demonstrate how “straightforward” it is to develop a malicious app.
With the help of security firm Veracode, BBC News designed a “crude” game that was able to collect contacts information, copy text messages, log the phone’s location and send it to a specified email address.
It took just a few weeks to create the spyware-ridden application, according to BBC technology correspondent Mark Ward, and the application was only downloaded onto a single handset and not launched in an application store.
Related Articles on Techworld
BBC News built the application using standard parts from a common development software toolkit used to create programs for mobiles, and re-worked existing code.
“The end result was a program that does not look great but gets the job done.”
Ward said that the spyware used 250 lines of the 1,500 lines making up the application.
“All of the information-stealing elements of the spyware program were legitimate functions turned to a nefarious use,” Ward wrote.
Chris Wysopal, co-founder of Veracode, told the BBC: “That’s the scary thing.
“The face of the application, be it a game or a simple application that is for fun, can have behaviour that is not visible at the surface.”
According to the BBC, Apple vets all its applications and only admits into its App Store those that pass stringent commercial and coding tests.
Meanwhile, Google requires all Android applications to have an AndroidManifest.xml file in its root directory. Amongst other details, the manifest contains essential information about the application that the system must have before running the application’s code, and describes the components of the application, including its activities and services.
In addition, Google and Research In Motion (RIM) use a code-signing system to turn off malicious applications.
Although the BBC has demonstrated how easy it is to create a malicious application, Forrester has warned businesses to carefully review the pros and cons of developing an app, taking into consideration hidden development costs, before jumping on the app bandwagon.
