This post is also available in: heעברית (Hebrew)

Mobile phone apps have increasingly become vulnerable to security breaches. Virginia Tech researchers have recently discovered that the same apps we regularly use on our phones to organize lunch dates, make convenient online purchases have secretly been colluding to mine private information.

A new study funded by the Defense Advanced Research Projects Agency as part of its Automated Program Analysis for Cybersecurity initiative aims at tackling this problem.

Associate Professor Daphne Yao and Assistant Professor Gang Wang, both in the Department of Computer Science in Virginia Tech’s College of Engineering, are part of a research team to conduct the first ever large-scale and systematic study of exactly how the trusty apps on Android phones are able to talk to one another and trade information.

“Researchers were aware that apps may talk to one another in some way, shape, or form,” said Wang. “What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.”

According to vtnews.vt.edu, the types of threats fall into two major categories, either a malware app that is specifically designed to launch a cyberattack or apps that simply allow for collusion and privilege escalation. In the latter category, it is not possible to quantify the intention of the developer,  so collusion, while still a security breach, can in many cases be unintentional.

In order to run the programs to test pairs of apps, the team developed a tool called DIALDroid to perform their massive inter-app security analysis. The study took 6,340 hours using the newly developed DIALDroid software, a task that would have been considerably longer without it.

“Our team was able to exploit the strengths of relational databases to complete the analysis, in combination with efficient static program analysis, workflow engineeringת and optimization, and the utilization of high-performance computing. Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data,” said Yao.

The team studied a whopping 110,150 apps over three years including 100,206 of Google Play’s most popular apps and 9,994 malware apps from Virus Share, a private collection of malware app samples.

The set up for cybersecurity leaks works when a seemingly innocuous sender app like that handy and ubiquitous flashlight app works in tandem with a receiver app to divulge a user’s information such as contacts, geolocation, or provide access to the web.

The team found that the biggest security risks were some of the least utilitarian. Apps that pertained to personalization of ringtones , widgets, and emojis.

“App security is a little like the Wild West right now with few regulations,” said Wang. “We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end. While we can’t quantify what the intention is for app developers in the non-malware cases we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought much about what they were downloading onto their phones.”