How do you prevent phishing in mobile app?

Question

Imagine a scenario in which a game X installed on your mobile device wants to access your account information from social network Y. Assume that Y exposes some API, and have features like "login with Y" etc. On desktop PC X could popup new browser window, with domain of Y clearly shown in address bar, with a padlock icon clearly indicating SSL connection, and in this popup, social network Y would ask user to provide login, password, and agreement to pass some information (like name, avatar, e-mail) to the application X. For example OAuth 2 uses this approach.

In my opinion, on mobile the situation is in rather different, as application X can take control of whole screen. In particular it can draw on the device's screen something that is indistinguishable from a real browser and hijack login and password provided by user.

How one can combat malicious applications which cover whole screen and pretend to be browsers, or even OS's settings windows etc?

Answer 1

There is no technological defense against this even on the desktop. It's trivial to mimic the look of a browser and draw a green SSL lock into a fake address bar. Or you can simply include a key logger with your application to get passwords entered any application on the same system.

For mobile applications including a key logger is harder. Drawing convincing fake browser window is easy. An additional defense is the review process of an app store. An official app store as the only source of trusted apps mitigates problems like this to a certain extent. While malicious apps can slip through any review process, they can be removed once they are discovered.

Answer 2

How about: double-click the home button so you see the app names?

Answer 3

You can also run task manager to see the app's name f.e. com.android.chrome. I think google won't allow in market two apps with same name.