While Google has extoled the security of its new mobile operating system, the system is only as secure as the apps that run on it, according to White Hat team lead Matt Johansen and application security specialist Kyle Osborn. "This is a juicy new attack surface," Johansen said. "There's none of the usual suspects you'd find on the desktop. We're not interested in your hard drive when we can get whatever you have in the cloud."
The primary problem, Johansen and Osborn said, is that many extensions allow wide-open permissions, and often more access than they need, such as the ability to access any website whatsoever. Some apps, such as RSS readers, mail notifiers, and note takers, often require broad access.
Apple vets applications that wind up on its AppStore, but Google does not do the same for extensions made available for Chrome OS. That means that a malicious actor could upload an innocuous-sounding extension to the Chrome Web Store and then hack those who download it. In fact, to prove the point, Osborn said he successfully briefly uploaded an extension called "Malicious Extension" to the Web store (though he immediately took it down thereafter).
However, in addition to malicious apps, there may be vulnerabilities even in common apps. Johnasen and Osborn discovered, for example, that Google's ScratchPad note-taking app allowed them to use a cross-site scripting injection to grab users' contacts, as well as their cookies, which could in turn provide a hacker with access to, for example, a user's Gmail or call history. While Google quickly closed this vulnerability after its discovery, Johansen noted that the two have found vulnerabilities in numerous other apps that could allow similar permissions.
GTEC brings together leading public and private sector experts to collaborate on serving Canadian citizens better through innovation and technology. It happens in Ottawa, Oct. 17-20. Find out more.