When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
Whilst this example is serious, the impact is hopefully small. However, this goes to show that our diligence with respect to the software and services that we use must not end once a relationship with a provider starts. Particularly, as those pieces of software, and services, have increasing access to our data. Authorised data sharing, from giving access to your social media account, to read access of your banking activity is increasing, enabling great service offerings. However, whilst a new service may be trustworthy when you sign-up, it is quite possible for that trustworthiness to disappear overnight as a result of an acquisition. At best this could be a move from privacy respecting to profiling for advertising, just as happened ultimately when WhatsApp was acquired by Facebook. At worst such a change could result in all sorts of data harvesting for nefarious reasons.
It seems that often in matters of web/app security we rely on the diligence of a handful of White Hats and user communities to highlight such issues, particularly for apps and services with relatively low volumes of users. Certainly, in the case above, I’m pretty sure that very few of the users of Nano Adblocker will have seen the original developers post on GitHub about the change of ownership. So, how can this be improved. It is true that app-stores go some way to solving this issue, but this extension was on the Google Chrome web store, so this is not a fool proof solution. Is there another way? I wonder if this is yet another identity issue. Surely, when the developer of an application or the owner of a service changes, the chain of trust has changed and at a minimum, this should be highlighted to the user so that the user is prompted to re-validate that chain of trust.
In so many cases, the user is expected to authenticate themselves to the service provider, but equally as important is the need for service providers to authenticate themselves to their users. Fraud is often enabled though service users trusting something that looks, sounds, or seems to operate like the service they signed up for. However fraud is often about disguise, and if you can make your malware appear to be a genuine software tool, you are in a position to attack a user just as you can if you can make an email appear to be from their bank.
The proliferation of apps and services is ever growing, with fraud also growing, and now being perpetrated in some cases by state actors. Perhaps now, more than ever, an additional layer of authentication and trust is required beyond that which we have today, so that we, consumers and service users, can authenticate those from whom we consume services to ensure that they are not wolves in sheep’s clothing.
About Consult Hyperion
Consult Hyperion helps institutions navigate how best to utilise identity technology by considering the intersection of technology, individual privacy, commercial requirements, and regulation.