Mobile security has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones and Apple phones. It is continuing to gain significance with the massive use of Android OS. This tutorial will take you through the simple and practical approaches to implement mobile security techniques.
Threats of Mobile Security
A smartphone user is exposed to various threats when they use their phone. In just the last two-quarters of 2012, the number of unique mobile threats grew by 261%, according to ABI Research. These threats can disrupt the operation of the smartphone, and transmit or modify user data. So applications must guarantee privacy and integrity of the information they handle. In addition, since some apps could themselves be malware, their functionality and activities should be limited (for example, restricting the apps from accessing location information via GPS, blocking access to the user’s address book, preventing the transmission of data on the network, sending SMS messages that are billed to the user, etc.).
There are prime targets for attackers:
- Lack of Binary Protections:
- Insecure Data Storage
- Insufficient Transport Layer Protection
- Unintended Data Leakage
- Poor Authorization and Authentication
- Broken Cryptography:
- Client Side Injection
- Security Decisions via Untrusted Inputs
- Improper Session Handling
- Weak Server Side Controls
Consequences of threats in mobile apps security
When a smartphone is infected by an attacker, the attacker can attempt several things:
- The attacker can manipulate the smartphone as a zombie machine, that is to say, a machine with which the attacker can communicate and send commands which will be used to send unsolicited messages (spam) via SMS or email
- The attacker can easily force the smartphone to make phone calls. For example, one can use the API (the library that contains the basic functions not present in the smartphone) PhoneMakeCall by Microsoft, which collects telephone numbers from any source such as yellow pages, and then call them. But the attacker can also use this method to call paid services, resulting in a charge to the owner of the smartphone. It is also very dangerous because the smartphone could call emergency services and thus disrupt those services.
- A compromised smartphone can record conversations between the user and others and send them to a third party. This can cause user privacy and industrial security problems;
- An attacker can also steal a user’s identity, usurp their identity (with a copy of the user’s sim card or even the telephone itself), and thus impersonate the owner. This raises security concerns in countries where smartphones can be used to place orders, view bank accounts or are used as an identity card;
Different types of attacks
An attack based on SMS and MMS (kb)
Some attacks derive from flaws in the management of SMS and MMS.Some mobile phone models have problems in managing binary SMS messages. It is possible, by sending an ill-formed block, to cause the phone to restart, leading to the denial of service attacks. If a user with a Siemens S55 received a text message containing a Chinese character, it would lead to a denial of service. In another case, while the standard requires that the maximum size of a Nokia Mail address is 32 characters, some Nokia phones did not verify this standard, so if a user enters an email address over 32 characters, that leads to complete dysfunction of the e-mail handler and puts it out of commission. This attack is called “curse of silence”. A study on the safety of the SMS infrastructure revealed that SMS messages sent from the Internet can be used to perform a distributed denial of service (DDoS) attack against the mobile telecommunications infrastructure of a big city. The attack exploits the delays in the delivery of messages to overload the network.
Attacks based on the GSM networks
The attacker may try to break the encryption of the mobile network. The GSM network encryption algorithms belong to the family of algorithms called A5. Due to the policy of security through obscurity, it has not been possible to openly test the robustness of these algorithms. There were originally two variants of the algorithm: A5/1 and A5/2 (stream ciphers), where the former was designed to be relatively strong, and the latter was designed to be weak on purpose to allow easy cryptanalysis and eavesdropping.ETSI forced some countries (typically outside Europe) to use A5/2. Since the encryption algorithm was made public, it was proved it was possible to break the encryption: A5/2 could be broken on the fly, and A5/1 in about 6 hours. In July 2007, the 3GPP approved a change request to prohibit the implementation of A5/2 in any new mobile phones, which means that it has been decommissioned and is no longer implemented in mobile phones. Stronger public algorithms have been added to the GSM standard, the A5/3 and A5/4 (Block ciphers), otherwise known as KASUMI or UEA published by the ETSI. If the network does not support A5/1 or any other A5 algorithm implemented by the phone, then the base station can specify A5/0 which is the null-algorithm, whereby the radio traffic is sent unencrypted. Even in case mobile phones are able to use 3G or 4G which have much stronger encryption than 2G GSM, the base station can downgrade the radio communication to 2G GSM and specify A5/0 (no encryption). This is the basis for eavesdropping attacks on mobile radio networks using a fake base station commonly called an IMSI Catcher.
Attacks with wifi
Attacks related to hacking wireless networks, piping passwords generators like Crunch with Aircrack-NG, how to bypass MAC filtering and a lot more. It is suggested that you have a wireless network interface capable of packet injection which supports usage in promiscuous (monitoring) mode. The wifi hacking tutorials will teach you about hacking WPS vulnerabilities with Reaver and Pixie dust and how to brute force default routers passwords.
Attacks based on hardware vulnerabilities
In 2015, researchers at the French government agency (ANSSI) demonstrated the capability to trigger the voice interface of certain smartphones remotely by using “specific electromagnetic waveforms”.The exploit took advantage of antenna-properties of headphone wires while plugged into the audio-output jacks of the vulnerable smartphones and effectively spoofed audio input to inject commands via the audio interface.
Juice Jacking is a physical or hardware vulnerability specific to mobile platforms. Utilizing the dual purpose of the USB charge port, many devices have been susceptible to having data exfiltrated from, or malware installed onto a mobile device by utilizing malicious charging kiosks set up in public places or hidden in normal charge adapters.
Jail-breaking and rooting
Jail-breaking is also a physical access vulnerability, in which mobile device users initiate to hack into the devices to unlock it and exploit weaknesses in the operating system. Mobile device users take control of their own device by jailbreaking it and customize the interface by installing applications, change system settings that are not allowed on the devices. Thus, allowing to tweak the mobile devices operating systems processes, run programs in the background, thus devices are being exposed to the variety of malicious attack that can lead to compromise important private data.
App Sandboxing Issues
Sandbox helps the mobile users by limiting the resources that an application uses in the mobile device. However, many malicious applications can overpass this allowing the malware to use all the device processing capabilities and user data.
It is an environment where each application runs its allocated resources and data so the applications are secure and cannot access other application resources and data.
It is an environment where a malicious application is installed and it exploits the sandbox by allowing itself to access all data and resources.
Prevention and Solutions
In order to protect ourselves from SMS phishing, some rules have to be kept in mind.
- Financial companies never ask for personal or financial information, like username, password, PIN, or credit or debit card numbers via text message.
- Smishing scams attempt to create a false sense of urgency by requesting an immediate response. Keep calm and analyze the SMS.
- Don’t open links in unsolicited text messages.
- Don’t call a telephone number listed in an unsolicited text message. You should contact any bank, government, agency, or company identified in the text message using the information listed in your records or in official webpages.
- Don’t respond to smishing messages, even to ask the sender to stop contacting you.
- Use caution when providing your mobile number or other information in response to pop-up advertisements and “free trial” offers.
- Verify the identity of the sender and take the time to ask yourself why the sender is asking for your information.
- Be cautious of text messages from unknown senders, as well as unusual text messages from senders you do know, and keep your security software and applications up to date.