There are often (quite rightly) concerns raised about operating system vulnerabilities on smartphones, and the need for users to patch their devices with the latest software. But the truth is that probably a bigger risk to the typical mobile user are the actual apps that they choose to run on them. Have they been coded reliably, are they taking enough care with preserving the privacy of our data, are they vulnerable to exploitation by hackers? And that point is driven home once again, by an alert issued by Cisco telling users of its WebEx Meetings business conferencing app to urgent update their Android software, after a serious security flaw was discovered. More than five million Android users are thought to have installed the app. As Cisco's security advisory describes, the most likely attack scenario is that an attacker might trick a user into downloading an app that then exploits the buggy installation of WebEx Meetings, grabbing WebEx's permissions in the process:
A vulnerability in the custom application permissions handling for Cisco WebEx Meetings for Android could allow an unauthenticated, remote attacker to change platform-specific permissions of a custom application. The vulnerability is due to the way custom application permissions are assigned at initialization. An attacker could exploit this vulnerability by downloading a malicious Android application to the mobile device. An exploit could allow the attacker to utilize the custom application to silently acquire the same permissions as the WebEx application.
In other words, you might be tricked into downloading an Android game or flashlight utility which *doesn't* ask for permission to access your address book, your photographs, your microphone, camera, and more... but then exploits the bug in the WebEx Meetings to do precisely that, without any permissions warning being displayed. Fortunately, Cisco has seen no evidence that the security hole has been exploited in malicious attacks. That's great news, but it's clear that businesses will want to ensure that their staff are only running the latest version of the WebEx Meetings app on their Android devices, as company sensitive information could potentially be put at risk. Cisco says that the only way to fix the problem is to update the WebEx Meetings app on your Android device - no alternative mitigations are available. I would also advise only downloading apps from the official Google Play store. Although Google doesn't have a spotless record when it comes to keeping malware out of its official Android app store, it's clearly a good deal safer than third-party sites. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
