You are here

How mobile developers can kill off zombie apps before they attack

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Much noise has been made about the risk mobile malware poses to consumers and businesses, but an even greater threat is posed by apps that have been abandoned by their developers or become stale on mobile devices. These apps, identified by a number of names, including zombie, dead, and orphan, can create risks similar to those of desktop programs and operating systems losing support at the end of their lifecycles.

The zombie app menace was recently highlighted in a threat report by Appthority. "Even though the threat of malware poses a serious concern for mobile devices in the enterprise, research has identified that there is a more immediate risk to most enterprise environments," the report noted. "This risk stems from a lack of transparency in the way app stores handle post release revocation of apps."

Whenever an app is removed from an online store, whether for security or vulnerability concerns, app store terms of use violations, or developer desertion, the app remains on its users' devices. A diligent user might ditch the app after noticing it's not being updated regularly, but most users aren't that diligent. If app stores alerted users that an app has been removed, more users would delete the app from their mobile devices, but app stores don't do that. As the report notes, app stores inform app developers that their apps have been discontinued, but they don't inform app users.

In addition to dead apps, mobile devices may also contain stale apps. An app is stale when it has a new update in an online store but hasn't been upgraded on a user's device. Stale apps present a threat similar to that of zombie apps because while they may still nominally receive support, their makers aren't paying a lot of attention to them.

[ Is it time to rethink your release management strategy? Learn why Adaptive Release Governance is essential to DevOps success (Gartner). ]

How developers can kill a zombie app

A large step toward reducing the threat of zombie apps could be taken if users received notice—either from a developer or an app store—that an app isn't receiving support or has been removed from an app store. Filip Chytry, a security researcher with Avast, says developers need to think about the potential death of an app as they're building it. "You need to think ahead," Chytry says. "Then you could add something like an app trigger that will automatically notify the user that the app is no longer supported."

Some developers do alert users when they cut support to an app, but it isn't a common practice. "Some apps will push an upgrade that states a particular application has been [sunsetted], and a user can use another application instead of it," says Swapnil Deshmukh, a security researcher with the Open Web Application Security Project (OWASP).

Most developers, though, are concerned with immediate security needs, not those that might crop up after a program has reached its life's end. "When we review applications, it's not something we're thinking about," says Jeremy Allen, partner and principal consultant with Carve Systems, which focuses on helping its clients build secure mobile applications. "We're looking at what are the problems now. We're not thinking of a future where our app gets forgotten about and someone finds a security problem and starts abusing it."

[ Get Report: The Top 20 Continuous Application Performance Management Companies ]

Lifecycle leads to the walking dead

While timely notice could be a head shot to many zombie apps, there's not a lot of incentive for developers to take that path. As long as an app is producing revenue for a developer, it's likely to be properly monitored and maintained. "If it's a dormant application, then no one is monitoring at that point," says OWASP's Deshmukh.

Notice is most beneficial for threats posed by dormant or stale apps because developers still have access to app stores through which they can get their messages out to their users. It's less effective for programs that have been removed from an app store. Once an app is removed, developers have limited ability to contact their users. Some conscientious developers will post notices on their websites about an app's fate. Typically, however, relatively popular apps that have been abandoned will remain unsupported on thousands of machines.

If an app store removes a developer's ability to communicate with users about apps that have been removed from the store, should the app store shoulder the burden of notifying users? What if there are threats involved?

While the managers of online app stores have recently made strides toward greater openness with their customers, the Appthority report noted that there is still little or no transparency when it comes to alerting users after an app has been removed from one of the app stores. "This leaves users who have downloaded the revoked apps in limbo, with lack of any visibility or direction," the report stated.

"The fact that the app is no longer available from the respective app stores means they are no longer in a position to be updated for bugs, vulnerabilities, or security fixes," the report continued. "In some cases, the app may have been abandoned or the domains associated with the apps have expired. Dead Apps are also in a position to be exploited by third parties, offering fake updates and content or targeting known vulnerabilities that were never patched."

Gartner security analyst Avivah Litan says fake updates of zombie apps would be very tempting to bad actors. "If users are searching for an update that has been discontinued, that would be a really easy attack vector for criminals because they know support has stopped for the application, but the users don't know that, so [the criminals] pretend they have an updated version for it," Litan says. "That's what you call clever social engineering." It also means a developer must be careful to wean a user from a dormant app to a new one when using updates.

Develop secure apps to get ahead of risk

When addressing potential threats from zombie and stale apps, developers need to be aware of the limitations of notices in addressing the problem, namely that no amount of notice is going to get some users to clean up their devices. The report noted that in many cases, users do not update their apps, despite knowledge of "fixed bugs, patched vulnerabilities, or addressed security concerns."

"That's a completely prevalent behavior," says Carve's Allen, who confesses to using only a handful of the four pages of apps on his mobile phone. "It happens in the enterprise, too. I've seen apps removed from corporate app stores still on employees' devices."

As with many security problems, there's always a gap between the magnitude for potential harm and the actual risk of that harm occurring. "It's hard to quantify what the risk is," Allen says. Better safe than sorry, though—a zombie is hard to kill.

[ Get Report: Buyer’s Guide to Software Test Automation Tools ]