A group of cybersecurity researchers from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Ohio State University, and New York University has conducted a large-scale study that identified severe security vulnerabilities in different mobile phone apps. The team also found out that the issues are not the typical security problems that are accidentally introduced by developers. The issues are quite intentional instead. The problems would include either accessing private data or blocking content provided by the users.

Based on the study that evaluated 150,000 applications, many phone apps would contain hardcoded secrets, also known as "backdoors". Such secrets or backdoo rmay potentially allow hackers to access private data or content provided by the users. The team chose the top 100,000 apps that have the highest number of downloads from the Google Play Store, 30,000 pre-installed apps on Android smartphones, and the top 20,000 from a different app store.

These "backdoor secrets" were found by the research team on about 8.5 percent of the phone apps, or a total of 12,706 of them. Backdoor secrets are hidden app behaviors that accept different types of content and trigger behaviors that are not known to end-users. These are functions that users are unaware of but can be activated using certain sequences or actions.

Some apps also contain master passwords that are already built-in, and anyone who has access to the password can access the app remotely, as well as any private data that is enclosed within it. Also, some apps hold secret access keys that could activate secret or hidden options, which may even include evading payment.

Zhiqiang Lin, a Computer Science and Engineering associate professor at the Ohio State University and senior author of the study, expressed that not only are the end-users at risk for motivated attacks but also the developers. In case a person with malicious intent obtain these backdoor secrets, the attacker could reverse engineer the mobile phone applications to decrypt them.

Another lead author of the study Qingchuan Zhao said that backdoor secrets prove that developers erroneously assume that reverse engineering of their mobile phone apps is not a legitimate threat. To truly secure their apps, programmers need to put their secrets on the backend servers, and ensure that their user-input validations are secure, according to Zhao.

The team also discovered 4,028 or about 2.7 percent of the applications, blocked content that contain keywords subject to cyberbullying, censorship, or discrimination. The researchers were not surprised that certain apps could restrict content. However, what was striking was the way the apps did it, according to Professor Lin.

The cybersecurity team developed InputScope, which is an open-source tool that can help app developers understand further the weaknesses of their mobile phone applications, and to demonstrate how the reverse engineering process can be fully automated.

The research was accepted for publication at the IEEE 2020 Symposium on Security and Privacy scheduled in May 2020. The conference, however, was canceled due to the global COVID-19 pandemic and was moved online instead.