Your Smartphone Might Have Been Compromised?
Smartphones have crept their way into every aspect of our lives. No matter what you need, there is most likely an app available for it. And yet, in spite of our excessive use of smartphones, most of us are unaware of the exact extent of the threats we may face while using these devices.
Mobile security threats are growing daily and now account for more than 60% of digital fraud ranging from stolen passwords to phishing attacks. Security is even more essential since we now use our phones to conduct online transactions and banking.
Fortunately, mobile phones can still be used safely by keeping yourself informed and taking the necessary precautions. Let us take a look at some threats that smartphone users may face.
When wireless hot spots are available nearly everywhere, why would anyone want to use up their cellular data? However, it should be noted that free WiFi networks are generally not secured. When you connect to public WiFi networks that do not require passwords or use encryption, you can allow anyone near you to spy on your online activity. Cybercriminals can create fake WiFi hotspots to trick users into connecting to them and can then steal the user’s data. For instance, these phony networks can direct you to a webpage that looks exactly like your bank’s website and then steal your password when you attempt to log in. Public WiFi networks are not as secure as private ones as there is no way of knowing who set up the network or how it is secured if it is secured at all. There is also no way of knowing who is accessing or monitoring the network.
It is best to not connect to just any network that you find. If it is absolutely necessary, ensure that you do not perform any activity (like entering passwords or banking) that may compromise you.
Often, mobile apps are the reason behind the unintentional leakage of data. “Riskware” apps pose a real threat to mobile users as they grant them varied permissions without checking the security. Generally, these are the free apps that are found in official app stores. They usually perform as advertised, but also send personal — and even possibly corporate — data to remote servers where it is used by advertisers. If these remote servers are compromised, or if a technical error leaves them prone to attack, the collected data can be used by cybercriminals for fraud.
Hostile enterprise-signed mobile apps can also lead to data leakage. Such mobile malware programs use distribution code native to famous mobile OSs like Android to transport valuable data across networks without raising suspicion.
To avoid data leakage, one should only give permissions that are absolutely essential for the app to perform its functions. Adjust the security controls on your mobile so that apps only collect limited data and do not install any apps that ask for more permissions than required.
A common worry of many mobile users is malware sending data to cybercriminals. However, more than malware that users should be worried about but spyware instead. Often spyware can be installed by spouses, employers, or coworkers to keep track of the victim’s activities and whereabouts. Spyware is also known as stalkerware and these apps are created to be loaded on the victim’s device without their permission or knowledge to survey or collect data. Spyware is most commonly installed on mobile phones when the user clicks on malicious advertisements or through scams that trick users into unintentionally downloading it.
Spyware is designed to allow very invasive digital monitoring through smartphones and one should be wary of apps that promise to surveil the activities of your children or loved ones through their mobile devices. These apps can be used by abusers to secretly listen to conversations, take pictures, read texts and emails, and track the phone’s location amongst other things. Less insidious apps can still gather information about what you do on your phone.
One should avoid mobile apps that ask for a lot of permissions or permissions that have anything to do with accessibility. Accessibility permissions give apps the power to read the text in other apps or control other apps.
Cybercriminals will often use text messages, voice mails, as well as emails to trick their targets into revealing sensitive information like passwords, clicking on malicious links, or confirming transactions. This practice is called phishing, which happens to be the most successful and hence most often used method that cybercriminals use to attack their victims.
As mobiles are always on, they are the most common targets for phishing attacks. As mobile users often check their email in real-time, they are more susceptible to being a target of phishing. Mobile device users are more vulnerable as email applications display less information to adjust to the smaller screen size. Even when opened, an email may only show the sender’s name unless the header information bar is expanded. This is why one should never click on unknown email links. And unless the matter is urgent, it is best to let the response wait until you can access a computer.
To avoid becoming a victim of phishing, you should always confirm who is calling you for your personal information. For instance, if the caller claims to be calling from the bank, you can say that you will call back using the bank’s official number. One should also not respond to messages claiming you have won prize money or any other such scenario and delete those messages immediately as they are generally scams.
Hackers may set up fake access points, i.e. connections that look like WiFi networks but are bait, in public locations with high traffic like restaurants, libraries, etc. This is called network spoofing. Cybercriminals also give access points names that encourage users to connect to them such as “Coffeehouse WiFi” or “Free Airport WiFi”.
Often, hackers will force users to create “accounts” to be able to use these services for free. These fake accounts will ask users to enter their emails and other details and even provide a password. As users tend to use the same email and password combination for many services, cybercriminals can then compromise the users’ emails and other secure information. One should always be cautious when connecting to free public WiFi and never provide secure information unless they are sure about the authenticity of the network. You should also always use unique passwords for logging into WiFi or any other application.
Incorrect Session Handling
To allow for ease of access for mobile transactions, most apps use “tokens” that enable users to perform many actions without having to re-authenticate their identity. Tokens are created by apps to validate and identify devices. Safe apps create new tokens with every attempt to access, or “session”, and these tokens must remain confidential. Incorrect or improper session handling happens when apps inadvertently share session tokens with a malicious party which in turn allows them to masquerade as legitimate users. Most often this is because of sessions that stay open after a user has moved away from the app or website. For example, if you log into a company intranet site from your tablet and forgot to log out when you completed your task, by staying open, a hacker would be able to freely explore the website and other related parts of your employer’s network.
Broken cryptography occurs when app developers use weak encryption algorithms, or neglect to correctly implement strong encryption. At times, developers may use standard encryption algorithms to speed up application development despite their known vulnerabilities. Due to this, cybercriminals can exploit these known vulnerabilities to crack passwords and acquire access. Other times, developers use very secure algorithms but leave “back doors” open that inhibit their effectiveness. For example, a hacker may be unable to crack a password but can use flaws left in the code by developers to allow them to adapt high-level application functions like sending or receiving text messages to cause problems. This is why the responsibility of enforcing encryption standards before apps are deployed lies on the shoulders of developers and their organizations.
An encryption gap is akin to a water pipe with a hole in it. Even if the point where the water enters, that is the users’ mobile device, and the point where the water exits, that is the systems, may be secured, a hole in the middle of the pipe can allow malicious entities to access the water flow in the middle.
Unencrypted public WiFi as well as any application or service that is not encrypted can provide hackers with ways to access sensitive information. This is why end-to-end encryption is a necessity. This includes making sure that the service providers you use also encrypt their services to avoid unauthorized access, as well as making sure that your users’ devices and your systems are also encrypted.
How Can I Safeguard Myself Against Mobile Security Threats?
In recent years, mobile security threats have increased in number and have also evolved in scope. This is expected to increase in the future. To protect their devices and data, users need to understand common threats and prepare the next generation for malicious activities that they can fall victim to. A good internet security solution needs to have extensive coverage that goes far beyond laptops and desktops and also provides protection to mobile devices, IoT devices, and other internet connection points. Your network and devices also need to be protected even when you are not at home.
Reach out to us at SECUREU & let’s talk about how we can help you!