Even a CHILD can make a Trojan to pillage Windows Phone 8 A teenager has crafted prototype malware for Windows Phone 8 just weeks after the official unveiling of the smartphone platform. The proof-of-concept code is due to be demonstrated by Shantanu Gawde at the International Malware Conference (MalCon) in New Delhi, India on 24 November. Gawde, who is a member of the Indian …
So what he has done is written a program that uses the standard APIs to get data and send it off?
The point is that an application needs to go through the approval process before going to the store. So while anyone can write malware, getting it out into the wild is more difficult now.
There are all manner of sneaky tricks you can do to get around such checks, you app could have a logic bomb in there so the negative effects only take effect after a time.
Details are thin so it's unclear whether the malware exploits a vulnerability in Windows Phone 8 or it simply tricks users into doing something daft,
Whilst it's quite possible that's what he's done, by no means is it clear that that's what he has done. It remains possible that he's found a vuln and exploited it.
No cause for panic, certainly, but given the sparse info I wouldn't go as far as to disregard it (yet) either.
Once he's revealed it at MalCon we'll know, but for the moment Windows Phone is Schroedingers Cat
"The point is that an application needs to go through the approval process before going to the store. So while anyone can write malware, getting it out into the wild is more difficult now."
Furthermore, when you install something from the store, you can see the permissions list for what it can access. So if you're installing a game and it says it wants to access your People hub, you can ask why it would need that and say no. And if something does make it through, when MS pull it, you will know about it.
This is a really shoddy and sensationalistic article. No details other than those which suggest it's just a regular program relying on user authorisation. They just wanted to try and force a headline about A CHILD CAN CRACK WP8!
Trollface for the Reg hack that wrote this article. No wonder I'm getting more of my news from The Verge these days (much like The Reg is ;)
When you download an app you can see what permissions it wants and check if that matches what you think it does.
Which is great.
However, you can't tell it "No, Farcebook, you may not have access to my contacts", which is crap.
However, in iOS and Windows Phone, you have no way of knowing what a given app does - once on board it is permitted to do anything at all to things like contacts etc in the "shared storage" areas, and you have no way of knowing beforehand that it even could.
So you are completely reliant on the curation of their app stores.
@Richard 12
Can't speak for WP8 but iOS apps request permissions which can be later reviewed and or revoked in Settings > Privacy.
Same caveats apply, if you deny a mapping app access to location services, a camera app access to the camera or a social app access to your contacts they probably wont work as intended or possibly at all.
One difference seems to be that Android asks for all 'required' permissions at install while iOS asks for permissions individually, as features that require them are used.
Which is why we need more specific controls on what apps can do.
"internet access" is rubbish as a control, we need, "wants to access http://appsite.com/*"
How about, "wants to access contacts - create unique myapp view of addressbook?"
Perhaps the OS could then run through the possible results at installation time: this app can read contacts from your addressbook and transfer data to/from http://mysite.com"
I install very little on my phone - I must be old - there's very little out there that I feel I need.
Perhaps the OS could then run through the possible results at installation time: this app can read contacts from your addressbook and transfer data to/from http://mysite.com"
It's a nice theory, but utterly unworkable in practice. Even assuming you could constrain an app in that fashion, you'd end up providing a massive list of requirements to end users which nobody would read (resulting ultimately in malware finding it easier to request permissions and get away with it). Similarly the experience for devs would be pretty horrific if they had to cope with every possible combination of users picking and choosing permissions that can be granted. Ultimately it's better for all to encourage devs to request the minimum permissions necessary and for users to avoid apps that want more than seems reasonable.
"It's a nice theory, but utterly unworkable in practice. Even assuming you could constrain an app in that fashion..."
It's not apps generally, but the new system of web-plugins for MS Office 2013 actually *does* do this. Sort of. There's a deployment system for them, written in XML, that defines what they may do right down to whitelists of websites or servers if you want. It's not a general app thing, but if you're running a corporate environment and you want to use a plugin for Office and know that it is only capable of communicating with server X or can only affect particular files on the system or what have you, then you can check the deployment code for the plugin and know that (vulnerabilities not withstanding), it can't do anything else.
Far better than a pile of VB code.
Usually its either an incredibly exceptional 15 year old with some form of 'communicative' disorder, or hes used portions of others code / API's...
It's incredible how much code is available. I wonder if it involves Bluetooth or... Device specific vulnerabilities?
There are heuristics available for Windows Mobile devices, not that most people would believe that even Android and Blackberry require protection (notice the abscence of iOS, just like every other apple technology... "it MUST be unhackable" LOL
If they don't select, you'll have malware. If they do select, it's usually seen as unfair and/or censorship.
The problem is that the selection is done by an outside central organization you have to trust.
Linux distributions like Ubuntu and Debian do it differently. They select packages for you, and you can get involved in that, if you want. If you don't trust a certain distribution or repository, you can simply go to another one, or even use multiple repositories at the same time.
Select packages for you - so that would be selecting like Google, Apple and Microsoft then (with various levels of control)
Use multiple Respositories - like unlocking an Android handset you mean?
So basically they do it exactly the same, except they seem to be better at blocking crapware than Google...
It's the control that makes the difference.
None of the App-Stores actually 'select' in truth, apps are submitted and they are either approved or rejected (in the case of Google, simply the former).
Using multiple Repo's isn't that dissimilar to allowing an Android handset to install from external sources (don't know why you said unlock, have you ever actually used one?), but it's also not exactly the same. It's vaguely similar to installing a different App-Store, I guess, though it still doesn't quite translate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
