Ethical Hacking Tutorial

Mobile Device Security, Risks, Vulnerabilities, and Guidelines

What is Mobile Security?

There are over 3.5 billion mobile users around the world. This means that hackers have an extensive area to target. All the mobile apps are developed using the same languages that are used for their counterparts. If hackers can find vulnerabilities in a language, then they can find vulnerabilities in the apps that use that language.

Typically, the hackers use injection and malware techniques, like Trojan horse programs, viruses, worms, etc. Some attacks target the lack of knowledge of the users, such as phishing and social engineering attacks. Whereas, other attacks are targeted at mobile apps and their servers.

Mobile Device Security Vulnerabilities

The security of mobile devices can be compromised because of the following vulnerabilities:

1. Lack of Binary Protection

If a mobile app lacks binary protection, hackers can run malicious code and modify the functionalities. 

2. Insufficient Transport Layer Protection

TLS is used for the encryption of network traffic on the apps. It helps in protecting confidential communication. Encryption is also essential for backend connections to avoid security risks that may reveal the session and authentication tokens. 

3. Leakage of information

It is one of the biggest vulnerabilities in an app that can result in exposing confidential information, like details of the server, environment, user data, etc. It needs to be taken care of to prevent mishappenings. 

4. Insufficient authentication

When the developers or app owners don’t perform the necessary authorization testing, several important assets and data of the app remain at risk. Authorization policies should be in place to define the permissions for users, services, and applications. 

5. Improper certificate validation

When the SSL or TLS certificates used by the app are not validated properly, the data flowing over the connection between the user and the server can be monitored and stolen.

Dhyaan De!! How to Secure Your Mobile

In this video, We are explaining about How to Secure Your Mobile. Please do watch the complete video for in-depth information.

Mobile Device Security Guidelines and Tips

Here is a list of mobile security guidelines and tips that you can follow to secure your mobile device:

  1. Users should always have a screen lock for the device so that if it is stolen, the data doesn’t become easily available. The use of a strong password is recommended. 

  2. Like desktop devices, mobile devices should also use antivirus and antimalware tools to minimise viruses, spam, trojans, and other scams.

  3. Use encryption techniques on mobile devices because these devices can be configured to steal conversations over emails, messages, etc.

  4. If a device is stolen, report it at the earliest. There are services that allow users to deactivate their lost devices, which helps in preventing data theft. Use such services to minimize exposure. 

  5. If there are unused apps on the device, either uninstall or disable them. It is because there will be no need to keep those apps updated and secure. 

  6. Keep a backup of your data so that if the device is lost or damaged, the data is still there.

  7. When the OS updates are available, don’t ignore these. Updates are meant to mitigate security bugs and keep the device secure. 

  8. Avoid downloading apps from third-party sites because such apps can cause harm to the device by installing malware.

Top Mobile Security Threats and Attacks

Following are some of the most common mobile platform attack vectors that you must know for mobile security:

1. Malware

Modification of operating system (OS), virus, and rootkit, and making changes to the application. 

2. Data Exfiltration

Stealing the data, printing the screens, deleting data backups, and copying data to USB.

3. Data Tampering

Compromising the data, modifying data using apps, tampering without being detected, and hacking jail-broken devices. 

4. Data Loss

Accessing the device in an unauthorised way, exploiting app vulnerabilities, and device loss.

How Hackers Hack Your Mobile Phone?

There are numerous types of mobile device attacks. We have highlighted some techniques used by hackers to attack your device.

1. Call, SMS, Email Bombing

The bombing of phone calls, SMS, and emails is an abuse that involves sending massive numbers of SMS and emails, and doing high numbers of calls to users. These things are similar to cause a denial of service attack

For example, there are tools like BOTP that allows people to do call and SMS bombing to the targeted phone numbers. It doesn’t require the phone number of the sender, but only the recipients. 

2. Using Keylogger App

Keylogger or spy software is an app or program that can track and record every key pressed by the user on the device's keyboard. For example, if someone is visiting a website and enters his credentials there, the keylogger will track the site URL, as well as the username and password typed there.

It only takes a few minutes to install a keylogger app on a device, and it can then reveal all the keystrokes. Hackers use spy software to get important account credentials of users and then steal data and financial assets. 

There are several keylogger apps available in the market. For example, a hacker uses the Realtime-Spy app. Once the app is brought to use, the hackers set it up and install it on the target device. 

Once installed, the app or program will operate in the background without any trace of it. All the keystrokes will be captured and sent to the app’s server, where the hacker can see the data.

3. Gathering Information from Google Account

Almost everybody uses a Google Account today on their devices. This account stores a lot of personal information about the user, including the name, YouTube channel, active Google services, location history, saved passwords, contact lists, and much more. 

If a Google Account is compromised, the hackers can use this information for malicious purposes, reveal photos publicly, etc. 

Here is exactly what information can be gathered from a Google Account:

Google Dashboard

Open the Google Dashboard. It shows the summary of services used by the Google Account owner and the data saved on the account. 

The confidential data that can be accessed from here include YouTube (channel and subscriptions), Gmail (Inbox, sent items, and more), Google Maps (timeline, location history, etc.), Google Drive (Photos, documents, and everything), Books, and Chrome (bookmarks, extensions, history). 

The hackers can also check the contact list synced with the Google Account and all the passwords saved in Chrome. 

Google Password Manager

From Password Manager, the hacker can view all the saved passwords in Google Account and change or remove them. These passwords can allow them to access social media accounts, websites, and several other important accounts. 

Find My Device

Google’s Find My Device is a service meant to find the device if it is stolen or lost. From here, the location of the device can be checked, the data can be erased, and a sound can be played (to find out if the phone is nearby).

PreviousOWASP Top 10 Mobile Risks- 2016
NextHow to Create Binary Payloads in Kali Linux?
Did you find this article helpful?