Threat Category: Mobile Application Store
ID: ECO-16
Threat Description: App developer’s credentials typically have permission to push app updates to the respective app store. If these credentials are somehow obtained by an attacker, they could replace the genuine application with a version embedded with malware.
Threat Origin
Keep out hijackers: Secure your app store dev account 1
Exploit Examples
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) 2
CVE Examples
Not Applicable
Possible Countermeasures
Use app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior to authorizing their use.
To decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps installed on devices
Educate end users to scrutinize the permissions requested by apps, particularly if an updated version requests significantly different permissions than previous ones.
Mobile App DeveloperTo reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect your developer accounts, such as using multi-factor authentication. 3 4
To reduce the potential for an attacker to craft malicious apps that validate against your developer account, follow best practices to protect cryptographic signing material for applications 5
Mobile Device UserTo decrease the time to detection for malicious apps, use Android Verify Apps feature.
References
G. Gruman, “Keep out hijackers: Secure your app store dev account,” InfoWorld, 5 Dec. 2014; www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html ↩
C. Welch, “Major security hole allows Apple passwords to be reset with only email address, date of birth (update),” The Verge, 22 Mar. 2013; www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth ↩
Protect your developer account, Google, 2016, https://support.google.com/googleplay/android-developer/answer/2543765?hl=en [accessed 8/25/16] ↩
Security and your Apple ID, Apple, 2016, https://support.apple.com/en-us/HT201303 [accessed 8/25/16] ↩
Secure Your Private Key, in User Guide, https://developer.android.com/studio/publish/app-signing.html#secure-key [accessed 8/25/16] ↩