Friday, 15. May 2015

Mobile Certificates and Developer Accounts: Who is Faking It?

Companies risk losing all their customers if they continue neglecting their app store presence. While malicious mobile apps do bring serious security concerns to the fore, (70% of top free apps have fake and mostly malicious versions in app stores) companies and developers also face another challenge in the form of copycats.

For a company that needs to maintain an official mobile app on Google Play, fake or impostor apps can mean trouble for both their credibility and revenue. For users, the impact is similar, although on a more personal level. If users get fooled into downloading these apps, it can eventually lead to information theft, reputation damage, and overall dissatisfaction with the company’s brand and service.

Companies that maintain official apps in app stores like Google Play have a big role to play in minimizing the risk of their users installing fake apps. By properly establishing their identity and their apps, they can greatly help their users sort out the real apps from the fake ones. For example: ideally, all apps are released under one developer, as is the case for the various Trend Micro apps:



Figure 1. Trend Micro apps on Google Play

However, we have noticed that some organizations are not able to do this. Instead, multiple developers all publish various versions of official apps.



Figure 2. Various banking apps with different developer names

Why is this the case? Android requires that all apps should be signed (even with a self-signed certificate). Large organizations will, of course, have different teams responsible for developing different apps. Different private keys may be used to sign any created apps, even if they are consolidated under one account. Furthermore, different accounts may be used to upload the apps, even if they’re all related to the same company.

The practice can cause confusion among users (as seen in Figure 2), where it is not clear which is the official account. Even if the apps are consolidated under one account, outside of the Google Play store there is no way to identify that these apps as legitimate or not (since the certificate is used to identify the author). This can cause confusion if an app is legitimate or not in third-party stores.

For developers, the main impact here is that their customers might not be able to properly identify their app and they may lose potential install base. For users, however, this can turn into a big risk, since this makes it harder to spot “legitimate” versions of the app (e.g., the developer name used might not make it clear who published the app). In addition, if the user checks what other apps were published by a specific developer there may not be other apps to be found. In and of themselves, these are not necessarily bad, however malicious apps can share these traits as well.

How do we know who is faking it?

Companies need to ensure that they properly identify themselves as the credible source for their apps. It is not extraordinarily difficult for organizations to adopt proper key management to allow all apps released to be signed by one key: many large companies are able to do exactly this. The solution is to implement proper key management practices; the IT department of a large organization should be capable of arranging this correctly. Ideally, all official apps should be signed by one certificate, tied to one developer account.

For consumers, this has one benefit: all apps from an organization would show up as from one developer in Google Play, as well as third-party app stores. With official apps properly identified, this will help users identify fake apps  and prevent from inadvertently downloading them. This protects them from various problems such as information theft.

For now, we strongly advise users to be careful in choosing which app to download. Checking all details related to the app — developer name, rating, reviews — can help identify fake apps. Additionally, installing a security app such as the Trend Micro Mobile Security and Antivirus can detect fake apps and prevent them from getting installed.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Certificates and Developer Accounts: Who is Faking It?