In a world where mobile app development is exploding so quickly, even apps you think you can trust may be leaking your sensitive information. Modern mobile applications have the same functionality of a desktop or laptop, but with all these accessibilities come risks. Mobile applications help users do many things right from ordering a pizza to online banking with convenience.
The flip side of this is the dangers users may have when the security of the mobile applications is taken for granted. Criminals are targeting smartphone users on social media with the help of mobile apps, the attack that grants access to your phone and indirectly to your personal information such as login and passwords, ATM/debit card numbers.
"Mr Rajesh learned a lesson the hard way when information provided to a Facebook gaming app by his 17-year-old son came back to bite him. The game offered extra gaming points in exchange of filling out an application form that asked personal information including ATM number. Without thinking, and with the vision of more points to “level up” in his head, the teen completed the application, never realising the ATM card is going to be used by cybercriminals to siphon the money from the account."
According to a study of more than 400,000 apps available from the Google Play Store by cybersecurity company, NowSecure, 10.8 per cent of all apps leak sensitive data over the network, 24.7 per cent of mobile applications have at least one high-risk security flaw, and 50 per cent of popular apps send data to an ad network, including your personal information.
Risks associated with mobile applications
There are many risks associated with the usage of mobile applications which has embedded spyware in it. Some of the more prominent ones are:
Activity monitoring and data access (data stealer)
It is the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden third party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved. The following are examples of mobile data that your apps can monitor and intercept: Messaging (SMS and email), audio (calls and open microphone recording), video, location, contact list, call history, browsing history input, and even data files.
Unauthorised dialling, SMS, and payments (premium service abuser)
By including premium dialling and SMS functionality into a Trojan app, the attacker can run up the victim’s phone bill and get the mobile carriers to collect and distribute the money to them. Mobile devices can also be used to purchase items, real and virtual, and have the cost billed to the customers' mobile bill.
Phishing attacks/user impersonation (UI)
With this attack, the user thinks they are downloading a legitimate app, such as a banking app, but instead they are getting an imposter that has proxy information to the bank’s genuine website. When the user authenticates they end up sending their credentials to the attacker.
A smartphone is much like a mini-computer so the risk of malware is present on it as well. Malware can take many forms, including Trojans, viruses, worms and others. This software may install things such as key logging software, spyware, botnets and other nasty things. These programmes are often used to obtain personal information which can then be used for the financial gain of the criminals who have installed them.
There seems to be an application that will do just about any task these days. However, some of these apps are developed by criminals who are hoping users will download and install the application, which will then allow them access to the smartphone, as well as possible user information, such as a credit card number or social security number, or account numbers and passwords stored on it.
Sensitive data leakage
Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwords. Sensitive data should always be stored encrypted so that attackers cannot simply retrieve this data off of the file system. It should be noted that storing sensitive data without encryption on removable media such as a micro SD card is especially risky.
How to protect oneself from the risks
While it may seem like a scary world out there for those who want the convenience of mobile apps, there are ways to protect yourself. Knowing that you have taken preventative measures should ease a bit of the tension. Some things you can do to protect yourself from the risks of mobile apps are:
• Research apps to determine if they are safe before downloading them. Look at who developed the app. For most large companies the company should be the developer themselves. If the app is new, or not well known, do a quick Google search to see if there are any reviews of the app. A Google search for “app name – problems” may be rewarding.
• Review what information you are allowing the application access to when you accept the terms and permissions. Make sure that the amount of information you are allowing the app to have access to is only the information it will need to perform its intended function. If it requires access to lots of personal information, you will have to weigh the need for the app versus the exposure of that information to others.
• Install an anti-virus software programme that protects against spyware and malware as well. Make sure this software is reputable and is kept updated.
• Enrol in a backup programme, which also provides the capability for your phone to be wiped. This will help protect the information on your phone should it become infected by malware.
• Turn geolocation and GPS off when it is not immediately needed. This can easily be done through the privacy settings on your smartphone. Droids usually have an icon to turn on or off the GPS function. This will keep your location from being broadcast unintentionally through picture uploads, tweets, etc.
• Install 2-factor authentication. People use single sign-on feature while accessing their favourite apps. The feature although makes it pretty convenient for users to link every app to the same account and access with a single tap, it, also puts their personal information at risk. It is always better to install 2-factor authentication, which will generate an OTP every time you use the application.
(The author, an IPS officer of the 2005 batch, Kerala cadre, is a socially conscious cop, a wellknown cyber expert, and an author of the must-read book 'Is Your Child Safe?' He has had an outstanding and illustrious career as senior superintendent of police in Kerala. Direct your queries to firstname.lastname@example.org)