Today, I continue to blog from the Black Hat Convention, where Microsoft Windows 8 (officially launched October 26) received praise from some surprising quarters.
Security experts in the past have been quick to make mince meat out of the latest Windows offerings, but it seems Microsoft has made some impressive security improvements this time around. With a nod to Apple, this includes sandboxing its Metro Apps to isolate and protect apps from exploits. The apps I have seen demoed seemed very easy to use with each app requesting user permissions on installation to access required resources—i.e., file system location, pictures, video, devices, microphone, etc.
I do wonder, however, if users of Metro Apps could fall prey to social engineering attacks that require user permissions to succeed. In computing speak, privilege is the permission to perform an action. These days, users are constantly bombarded with requests to grant permission—from downloading and running apps, downloading and opening files, running available updates. I know I myself am sometimes tempted to click “OK” before I’ve even read the alert that pops up just so I can get back to what I was working on.
I suspect many of us feel this way, which is why the Android DFKbootkit malware has been so successful. As mentioned in AVG’s latest Community Powered Threat Report, the DFKbootkit masquerades as a fake version of a legitimate application—in this case, Angry Birds Space. When the unsuspecting user downloads what he or she thinks is just another popular game from Rovio, the malware assumes full control over the device, posting fraudulent charges on the user’s phone bill.
Whether this will be a problem for Metro Apps, we will soon see. So far, the iPhone has been able to avoid the security issues Android’s experienced, because the sandboxing strategy and apps are approved by Apple. But it’s another reminder that users need to stay on their toes no matter what.
The fake Angry Birds app, after all, was listed in a third party app store for free. While Microsoft will direct users to the Windows Marketplace for apps just as Google directed its users to Google Play, the security of these big app stores drive the bad apps to other app stores with less compliance.
So the next time an app asks for your permission to perform an action, remember: if you’re not sure, you’re not secure. And if a free app seems too good to be true, it probably is.