Counterfeit devices are now a threat that app developers cannot afford to ignore. Why?
First of all, these devices deliberately misreport key characteristics that apps are dependant on such as OS version. Key attributes of devices will not work as expected and apps will misbehave leading to complaints in the app store about bugs and poor performance.
Finally and most importantly, these devices are a veritable viper’s nest of malware, backdoors and security issues.
A recent deep analysis by security experts Trail of Bits found that counterfeit phones contain countless unpatched cybersecurity vulnerabilities in addition to pre-installed Remote Access Trojans, full command and control servers and invasive analytics packages. Trail of Bits found that all counterfeit devices examined contained malware and rootkits.
It’s not difficult to imagine the kinds of problems that become possible:
- A banking app running on a counterfeit device is endangering the customer’s account and the backend bank infrastructure. The responsible thing for an app to do in this situation is to notify the user and not allow a login to occur.
- A second factor authentication app running on a non-authentic phone decreases enterprise security. An authentication app should not let itself run on such a device since it would be working against its core purpose.
So app developers can no longer assume that the platform they are running on is safe in this new reality. Merely trusting that a device is what it says it is is a naïve approach in the era of fake everything. Unwitting users can’t tell the difference between real and fake—so app makers need to step up and take on this responsibility.
Three parallel trends are now increasing the threat of counterfeit devices:
- They are getting much better—a modern counterfeit phone is almost indistinguishable from its authentic counterpart. Most users cannot tell the difference until it’s too late.
- They are becoming easier to get—they are just a click away from your favourite online e-commerce platform or local classified ads site, delivered in just a few days by a trusted delivery company.
- They are becoming more dangerous—malware is now part of the business model of counterfeit device manufacturers.
What can be done?
Ensuring the authenticity of devices that an apps is running on is a very good first step for controlling security risks and customer privacy—if a device really is what it is claiming to be, the chances of security issues and data leaks are much reduced. App makers have a duty to themselves and to their customers to protect against the dangers of non-authentic devices.
Good developers don’t let their apps run on bad devices.
DeviceAssure can equip app makers with the information to make smart decisions about the device provenance and decide the best course of action.
Don’t blindly trust mobile devices – verify them.
Here’s our recent presentation from Black Hat USA, where our CTO discussed the potential threats that lurk within counterfeit smartphones. Contact us for more information on our solution.
Main image source – Pixabay