Popular texting, messaging and microblog apps developed for
the Android smartphone have security flaws that could expose private
information or allow forged fraudulent messages to be posted, according to
researchers at the University of California, Davis.
Zhendong Su, professor of computer science, said that his
team has notified the app developers of the problems, although it has not yet
had a response.
The security flaws were identified by graduate student
Dennis (Liang) Xu, who collected about 120,000 free apps from the Android
marketplace. The researchers focused initially on the Android platform, which
has about a half-billion users worldwide. Android is quite different from
Apple's iOS platform, but there may well be similar problems with iPhone apps,
Xu said.
The victim would first have to download a piece of malicious
code onto their phone. This could be disguised as or hidden in a useful app, or
attached to a "phishing" e-mail or Web link. The malicious code would
then invade the vulnerable programs.
The programs were left vulnerable because their developers
inadvertently left parts of the code public that should have been locked up, Xu
said.