Androids, iPhones and BlackBerries are becoming more like wallets each day -- and the bad guys are starting to take notice, eEye CTO Marc Maiffret warns. Smart phone users have two things to worry about. First, the devices are loaded with the same old-school vulnerabilities that plagued PCs a decade ago. Second, those flaws are going to make it easy for online thieves to pick your pocket as the phone becomes more like a wallet.Mobile Wallet: Coming Soon?That day is coming fast, according to eEye co-founder and CTO Marc Maiffret.“We haven’t seen many smart phone attacks yet, because it’s still much easier to break into a desktop,” Maiffret said. “But that’s going to shift because smart phones are becoming increasingly like a wallet, with applications that support banking right on the device. More sensitive data will be on the phone, making it much more worthwhile for attackers.” Compounding the problem is that smart phone makers are repeating the old mistakes made by computer manufacturers more than a decade ago. Specifically, in the rush to bring new technology to market, developers are overlooking security. The secure development lifecycle you’ve heard about doesn’t apply to smart phones — yet.“One of the very last iPhone jailbreak tools that came out was going to a website that loaded .pdfs that caused code execution,” Maiffret said.”It’s the classic-style attack we’ve see in Windows environments for years.” MORE ABOUT SMART PHONE SECURITYSmart Phone Attacks: Here and NowMobile phone security dos and don’tsYour iPhone’s Dirty Little Security Secret3 Simple Steps to Hack a Smartphone (Includes Video)SecTor 2010: Touring (and surviving) the mobile app minefieldAnd with the smart phone market becoming extremely cut-throat — with Apple, RIM and Android racing for market share — the danger will only grow, Maiffret said, adding that “There isn’t a single smart phone developer out there saying that what they’re working on will be two months late because they have to work security in. I promise you that.”Maiffret isn’t the first security researcher to make this observation, of course. During the SecTor security conference in Toronto two months ago, Intrepidus Group researchers Zach Lanier and Mike Zusman gave a presentation highlighting all the old flaws plaguing smart phones.The pair started taking mobile phone apps apart to see what makes them tick, and discovered that our assumptions about lessons learned on PCs being applied to smart phones have been wrong. They walked their audience through some of the more glaring examples of old-school flaws they uncovered in many Web apps for mobile phones.The problems that need fixing are on the developer side, Lanier said. In the rush to satisfy smart phone users hungry for new apps, the same mistakes that were made around 1999-2000 in the PC world are being repeated. After looking at the more popular phones like Android and BlackBerry, the two discovered, among other things, that:Intercepting one’s credentials on an app like Foursquare is pretty easy.Storage apps — popular among those who like to store and easily retrieve music and video on their phones — contain security holes an attacker could exploit to cause a denial of service or bypass digital rights management controls.Carrier-based apps tend to trust you just because you happen to be on the carrier network.Third-party apps are sometimes better than carrier-based apps in this regard, but there’s still incomplete support for open standards.Man-in-the-middle attacks are fairly trivial across the board.It’s trivial for a bad guy to replay a user’s picture upload requests via a third-party upload app for BlackBerry and send their own, potentially malicious files to random accounts. Zusman said injection flaws in the picture upload feature abound and that it was fairly simple to inject their own XML attribute.Lanier and Zusman concluded that in the mobile phone Web app world there’s a lack of guidance, standards and best practices for developers. “We learned about many of these weaknesses 10 years ago,” Lanier said. “We’re forgetting the lessons we already learned.”Read more about wireless/mobile security in CSOonline’s Wireless/Mobile Security section. Related content feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management news Intel Trust Authority attestation services now in general availability Formerly known as Project Amber, Intel’s attestation services support confidential computing deployments. By Michael Nadeau Sep 20, 2023 3 mins Zero Trust Security Hardware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe