Smartphones are used more than PCs due to their practicality in handling and portability. These mobile devices are used for personal purposes such as taking pictures, social networking, banking transactions. Mobile smart phones are also used for business purposes. These phones are a delicate work tools containing confidential information: business contacts, financial information, personal information, etc. This has led to network attackers further expand their target areas, and also include direct attacks to the mobile devices.
Similar to PCs, smartphones are attacked exploiting their vulnerabilities that are from SMS, MMS, Wi-fi networks and GSM communication networks, their operating systems or even by the ignorance of average users about these topics. The main purposes of the mobile threats are to interrupt the correct operating of the device, transmission or modifications of user data, send spam messages, etc. Formally, I can mention that the attackers have three primordial objectives: the data, just like credit card numbers, authentication data, private data, calendars, contact list and other sensitive information; the identity, each smartphone is customized and in consequence is associated with a specific person, and if the attacker intercepts the related information with the owner of the device can steal his identity to commit some fraudulent act; the availability, it consist on limit or deny the user access to his own device.
Identifying the Threats
Mobile security threats can be presented in several ways. The purpose of this article is to show the readers, which are the most common threats, know how to identify them, and be alert to avoid them. Surfing the web, I had the opportunity to read a lot about the mobile security threats, classifications, top ten, and here are my conclusions presented below.
Application Based Threats: Refers to downloaded applications, they are mobile software that presents potential security issues. These may look fine on a download site but be specifically designed to commit fraud, or could be designed for normal use but containing unintended security vulnerabilities.
a) Malware: Is a software (in this case an app) that performs malicious actions while installed on your smartphone, that attempt to make changes on your phone bill, send malicious messages to your contact list, or given to the attacker control over your mobile smartphone device without your knowledge.
b) Spyware: Software designed to collect or use private data without the knowledge or approval of the user. The common data targeted by the spywares includes phone call histories, text messages, contact list, browser history, user location, private photo and all the information that could be useful for the attacker to commit a financial fraud or an identity theft.
c) Privacy Threats: This can be caused for apps that are not properly malicious but use sensitive information as location, contact list, personal information that is necessary to perform their function.
d) Vulnerable applications: They are not as malicious as other apps, but contain flaws which can be exploited for malicious purposes (download apps without our permission, access to sensibility information, perform undesirable actions, etc.)
For this kind of threats, one popular trick is to create a mobile app that looks like a more popular program, and bundle that fake app with malicious software. Android devices in particular, offer many options for apps download and installations, and can opt to install third-party apps that could be malicious. So, we have to be very careful about the apps that we are downloading, to make sure that all are genuine. Some info that could be helpful for us is to check the number of users that have downloaded the mobile app, the positive comments that it has, written description, and a link to the developer’s website.
Web Based Threats: Mobile smartphone devices are constantly connected to the internet and used to access web based services; web based threats that affect PCs can also present issues for mobile devices.
a) Phishing scams: Use email, text messages, facebook and twitter to send you links to websites designed to trick you providing personal information like passwords or account numbers.
b) Drive by downloads: Applications that are downloaded to a device without the user’s authorization even their knowledge. The secret download can be initiated just by visiting a website or opening an HTML email message.
c) Browser exploits: Designed to take advantage of vulnerabilities in a web browser, that can be launched directly from de browser or from a third party extensions: Flash player, PDF reader, image viewer, etc. Simply with visiting an unsafe website you can trigger a browser exploit that can install malware of perform other malicious action on your device.
To prevent this kind of fraudulent actions, we have to distinguish when a message is fake and not to open the suspicious links that we received by email, twitter or Facebook messages. When we have the chance to choose, do not install the unknown software and not take seriously all the advertising seen on the Internet. In general, we have to be careful about the websites and information we are accessing.
Networking Threats. The number smartphone users have increased, and with them the use of data transmission networks as Wi-fi, Bluetooth, GSM, etc. This has increased the attack surface for users who connect to these networks too. The data in transit between the mobile device and server, or between two devices, may be intercepted and then gain unauthorized access to sensitive data.
a) Networking exploits. Exploits that take advantage of flaws in the mobile operating system, software that operates on local, or cellular networks and once connected, they can install malware on your phone without your knowledge.
b) Wi-fi Sniffing. These are attacks that consist on data interception when are traveling through the air, between the device and the Wi-fi access point. In locations, the web pages don’t use encryption when send data across the network, and this make these can be easily to read by someone who is grabbing them as it travels.
For this reason, we have to be careful when we connect our device to a public network, try to use the network configuration the most correctly possible to protect the data transference. Don’t forget to do this, because in public networks where many people are connected (for example a hotel network), the attackers are present.
Rooting / Jailbreaking. Rooting for Android; Jailbreaking for iOS. For many people these terms mean to take total control over the smartphone, to expand its configuration possibilities (unlocking the phone to make operating systems modifications and user permissions). However, rooting/jailbreaking has a price and it is security risks.
For Android, the loss of security is inevitable, if you can’t control the executed apps, disasters could happen as the virus operates freely. Alternatively if trying to root the smartphone something goes wrong, the mobile device will stop operating properly.
For iOS, the consequences are less severe, but you can’t update your phone and you must trust on unknown apps that can be dangerous for our phones.
Physical Threats. Mobile devices are small, valuable and we carry them everywhere with us. We use it for both personal and/or professional purposes. Our phones could contain sensitive data, so their physical security is also important.
a) Device and data ownership. When it comes to data stored on mobile devices, both corporate and employee owned, data ownership and liability questions are still not settled. Significant data privacy issues may arise between employees and enterprises as employees use corporate devices for personal activities and personal devices for business purposes.
b) Lost or stolen devices. One of the most common mobile threats. We must consider the value of our mobile, not just the monetary value but the sensitive personal or organizational information that it may contain. The theft or loss of it has immediately consequences, because a complete stranger has in his hands all the information you stored in the device (bank accounts, social network password, contact lists, etc.) and use them with bad intentions.
Mobile security threats are on the rise and this is inevitable as more people begin to use smartphones and tablets. I’m sure that there are other vulnerabilities that fall into the categories described in this post, so we must consider good practices of mobile security: to be aware of what we download and the links that we click on, make sure to download genuine apps. The best defense is to use our common sense, to be on our guard for incoming scams via email, social networks or text messages. Finally, always check that your mobile is on your pocket!
About the Author
Karla Martin is Computer Systems Engineer with almost 3 years of experience in software development and right now she is pursuing a Masters in Internet Technologies: Network and Security. She currently works at iTexico as Web and Mobile Developer.