Recently we see allegations that CarrierIQ is quietly collecting more information than Android users bargained for. In one case, Trevor Eckhart thinks he proved that they register users’ keystrokes without the users’ knowledge for reasons subject to ongoing speculation. We certainly had no trouble finding the CarrierIQ software on an HTC phone, where it possessed factory-installed permissions to access a wide range of data, only some of which is listed in this screenshot we recorded.
There have also been recent examples of mobile malware which seek to record user-generated key presses (among other things) and report it back to the mothership. With this type of data being gathered without the knowledge of the user, it begs the question: are we ready, security-wise, for pervasive mobile banking and payment apps?
The proponents of mobile banking proponents parade lists of compelling reasons for adoption: ease of use, low cost, flexibility, etc. Certainly, it costs far more money for a teller to be physically present at a bank location and present that smiling face, than just having a user download an app. If mobile apps can replace part of that in-person functionality, there is a direct impact to the bottom line. But will users trust that their banking information won’t be subject to recording and secretly spirited away to parts unknown when they type, tap, or otherwise input it? And what if that same data becomes a victim of data sprawl leakage as more third parties become involved further down the line?
Similar technology issues could also pose problems for online purchases made from the device. Even traditional, respected online retailers could be affected if customers perceive it’s unsafe to purchase and download .mp3’s for example.
Enterprise IT infrastructures have long wrangled with how to lock down mobile devices that need to touch corporate resources. Keylogging apps could possibly record corporate credentials as they were typed in, creating a potential security headache. Though the ability to communicate off-hours is increasingly important in the corporate environment, it can’t come at the expense of security.
Google's adoption of a more open approach to apps has been a boon for market traction for the Android platform, sprinting past other handheld ecosystems in the process. But can a cohesive security stance survive the app sprawl? In light of the myriad opportunities for third party app developers' to add security holes to the stack, either on purpose or inadvertently, the package as a whole may start to cause concern.
If app companies know they may have access to payment card information, will the Payment Card Industry (PCI), along with a host of other alphabet soup organizations related to personal information collection, storage and chain of custody take note? PCI tends to get very concerned if a vendor is storing, sharing, or exposing payment card information. Other industry oversight organizations may have questions as well (for example, does logging banking data in the process of doing mobile phone diagnostics violate Gramm-Leach-Bliley). It may be speculation to assume attempts at logging user-generated information would necessarily be nefarious, but many users might be happier if they had the option to opt-out should they feel concerned. If users had full disclosure for what is happening, they would be better able to make informed choices.
In the meantime, it might be a good practice to use a land line phone when interacting with your bank, or making purchases, until the mobile banking apps have had a little more time to mature. Once we see some strong record of secure purchases on the platform we can have more confidence, but do you want to be a test case in the meantime? While the technology is maturing it would still be unnerving to find yourself victim of some credit card harvesting scam, right from your mobile device. There are enough other scams out there, it might be wise to play it safe for a little while and see how this develops.
Author Cameron Camp, ESET