Threat Category: Mobile Application Store
Threat Description: App developer’s credentials typically have permission to push app updates to the respective app store. If these credentials are somehow obtained by an attacker, they could replace the genuine application with a version embedded with malware.
Keep out hijackers: Secure your app store dev account 1
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) 2
Use app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior to authorizing their use.
To decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps installed on devices
Educate end users to scrutinize the permissions requested by apps, particularly if an updated version requests significantly different permissions than previous ones.Mobile App Developer
To reduce the potential for an attacker to craft malicious apps that validate against your developer account, follow best practices to protect cryptographic signing material for applications 5Mobile Device User
To decrease the time to detection for malicious apps, use Android Verify Apps feature.
G. Gruman, “Keep out hijackers: Secure your app store dev account,” InfoWorld, 5 Dec. 2014; www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html ↩
C. Welch, “Major security hole allows Apple passwords to be reset with only email address, date of birth (update),” The Verge, 22 Mar. 2013; www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth ↩
Protect your developer account, Google, 2016, https://support.google.com/googleplay/android-developer/answer/2543765?hl=en [accessed 8/25/16] ↩
Security and your Apple ID, Apple, 2016, https://support.apple.com/en-us/HT201303 [accessed 8/25/16] ↩
Secure Your Private Key, in User Guide, https://developer.android.com/studio/publish/app-signing.html#secure-key [accessed 8/25/16] ↩