Aug
20

Most employees connect their personal cell phone to company networks. Here's what businesses need to know about mobile application security.

Author: Esraa Alshammari

When talking about smartphones, the first idea that comes to mind is their features (the long-lasting battery, speed processing, great camera, plenty of storage space,  fingerprint sensor, and so on). Unfortunately,  many people don’t realize that these devices can be hacked and their phone can disclose their sensitive information. 

Most mobile phone users don’t recognize the real risk of storing all their information inside these pocket devices. Both built-in applications and third-party apps downloaded from the iTunes or Google stores contain weaknesses that make attractive targets for attackers. Cyber criminals consider smartphones as a gorgeous plate of gold, full of valuable information that they can use to steal money, bank account information, credit card numbers, etc.

The vulnerability of mobile phones

The increasing growth of mobile application usage is a nightmare for all who are concerned about the security of mobile operating systems (iOS and/or Android) as well as the security robustness of their applications, especially those containing sensitive and valuable information such as financial apps.

In the context of the mobile operating system and platform, there are four common types used around the world, and attackers must possess complex knowledge to deal with the targeted system. These systems are:

iOS: is an operating system from Apple Inc. designed primarily for the iPhone then extended to utilize in iPod, iPad, Apple Watch, and Apple TV. Lately, Apple developed a new OS specified for each one of these three devices: iPad, Apple Watch, and Apple TV. 

Android OS: is an operating system designed for smartphones and tablets that are built based on the Linux kernel. It is free and open sources known as Android Open Source Project (AOSP) under the Apache License.

Blackberry OS: an operating system developed by Research in Motion (RIM) a Canadian company, especially for the line of its BlackBerry smartphone that is optimized for email and collaboration.

Windows Phone: is an operating system for smartphones and tablets that was developed by Microsoft in late 2010. 

Deconstructing mobile application attacks

In order to steal information/perform exploits for a particular system, criminals must follow a simple method: 

  1. Learn more about the applications and mobiles vulnerabilities
  2. Understand the targeted system with its features
  3. Prepare the environment (for testing and attacking)
  4. Perform the attacks or inject malicious codes or deliver the payload
  5. Lateral movement
  6. Finally, attempting to clear all the evidence 

On the other hand, users need to protect their device carefully by applying these common security measures:

  1. Use a strong password, fingerprint, and/or strong pattern
  2. Employ multi-factor authentication 
  3. Backup phone data for a period of time (monthly, yearly...etc).
  4. Update the operating system continuously
  5. Avoid jailbreaking or rooting 
  6. Be careful of social engineering attacks
  7. Avoid third-party applications 
  8. Set up a remote wipe after a number of failed tries 
  9. Don't pair the smartphone with untrusted PCs or other smartphones, or even untrusted networks

If an attacker targets a specific victim that holds an iPhone for example, then the attacker needs to understand the basic architecture for the iOS system, the built-in applications, tips, notes, and any applications that can be installed from the Apple Store for only the iPhone device in order to find a vulnerability to perform their objectives.

Recent mobile application attacks

On the topic of Apple attacks, the latest breach occurred in 2019, when the company confirmed that their built-in iPhone FaceTime application was exploited to allow attackers to eavesdrop on conversations on iOS 12.1 or later. The exploit could happen when X calls Y using FaceTime, where X can listen to Y’s audio before Y picks up the call. Moreover, the caller can make it a conversation and call more than one person, which means that the caller can eavesdrop on many recipients. Also, the caller can make a video call, which may open the front camera for the recipient. Apple admitted to this bug and decided to kill the feature, saying there was no workable solution their engineers could devise.  

Samsung had a similar vulnerability related to a built-in application and the use of MMS. The vulnerability was discovered by Mateusz Jurczyk, who is a member of Google’s Project Zero bug-hunting team. He reported that this bug affected the Samsung devices that have been sold since 2014. Attackers targeted the Skia, which is an Android graphics library for handling the Qmage image (.qmg files). The attack happened through guessing the position of Skia in Samsung memory and bypassing Android’s Address Space Layout Randomization protection (ASLR). In May 2020, the Samsung company solved this vulnerability by launching new patches for all Samsung smartphones.

These are simple examples of vulnerabilities within built-in iOS applications. There are hundreds of thousands of mobile applications available on smartphones that could potentially contain vulnerabilities that are easily accessible to innovative attackers. Thus, the need for security is a must to protect our privacy, sensitive information, and our virtual social life that exists on smartphones and iOS systems.



Esraa Alshammari
About Esraa Alshammari

Esraa Alshammari currently works as a Cybersecurity researcher holding a MSc in Cybersecurity and Digital Criminology. Esraa used to work as a penetration tester and her research interests are in the fields of Digital Forensics, Threat Hunting, and Offensive Security.

Subscribe to INE Blog Updates

New Blog Posts!