Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.
Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.
Image from Arstechnica showing a Facebook server exposing credentials to an unauthorized app.
Fortunately, there is a solution to this problem. That solution is a strong mobile security program. Although most of these holes have been patched by now, the ones that haven't still require the user to use a malicious link, which is one of many things Webroot SecureAnywhere Mobile for Android and Webroot SecureAnywhere Mobile for iOS protect against. If you don't have mobile protection, this is something you should be concerned about. Malicious links are not always easily identifiable, and they are often hidden in innocuous-looking emails designed to trick users into clicking the links. However, if you have a good mobile security solution that checks links, like Webroot, this threat is nothing to worry about.
/// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///