Mobile Security Threats – Overview - Part 1
The movement of critical applications to mobile is faster than expected. “eMarketer” expects mobile to overtake desktop in US- rising from $8.72 billion to $12.85 billion — just slightly above desktop’s $12.82 billion. At the same time, there will be 156.4 million mobile phone search users in the US, representing 49.0% of the population. As of Feb 2015, 78% of Facebook users are mobile-only. 84% of 13-17 year old own a mobile phone. 83% of 6-9 year old use a tablet.Mobile device makers are providing customized platforms to increase their share of the customer’s wallet.78% of smartphone users access a retail site via a mobile app. These people want on-the-go, targeted information with minimal data use that a mobile app provides. 44% of tablet users accessed a retail site via a mobile app.
Mobile Applications
There are three types of applications which are hosted in any Mobile. Native applications written in a specific platform will run only in the supported devices like iOS for iPhone. Most common are the Web applications which any mobile device can access that are built using standards like HTML5 and available online. The last one is the Hybrid applications, a web-based user interface that have a layer of native applications around it which combines the best of both i.e. native and HTML5 worlds.
Mobile Security
Mobile Security – Five vulnerable areas
As the horizon widens, the scope for security threat also increases substantially for the mobile applications. The security risk for mobile applications comes in the following five ways.
- How the access to the system works? Where the users are challenged while accessing the systems? How passwords and userids can be tracked in mobiles?
- How the data which comes to the Mobile applications is validated?
- How to track the audit trail of data flow – to and from Mobile applications?
- How safe is the data stored in the Mobile devices? Does encryption happens for all critical data?
- Is data leaking to log files or out through notifications?
Five Major Mobile Security Threats:
The following are the 5 major threat areas which impacts the mobile security.
- Firstly, the data available in the mobiles like phone numbers, call logs, contacts, account details, IMEI can be accessed without the knowledge of the mobile owners which may be due to vulnerabilities in the applications installed in Mobiles.
- Second, major one which may cause financial losses are like sending premium SMS messages, stealing PIN numbers from transaction authorizations, making expensive calls, Fake anti-virus and ransomware.
- Thirdly, impersonation can happen by SMS redirection, sending email messages and posting in social media like Face book, Twitter etc.
- Fourthly, there may be surveillance issues like accessing the audio, camera, call logs, locations and SMS message in the mobile devices.
- Lastly, Botnet activities like launching DDoS activities, Click fraud, and sending premium SMS messages from the device.
Mobile Security Threat Modelling:
Before proceeding on the vulnerabilities existing in the mobile apps and threat modelling, we should categorize the applications available in the Mobile, the type of applications ported in the device by the manufactures. Normally developers of these applications should have considered the OWASP top 10 threats and addressed the same. For example, in a SQL injection, the code should verify that use of interpreters clearly separates untrusted data from command or query.
Before identifying the threats, the factors which expose the mobile applications like – location independence, always online and traceable nature, more focus on design and functionality than security, multiple types of applications on devices, should be considered and appropriate weight should be given.
The threat modeling should consider both the device security and app security – jail break, different platforms, versions, interfaces, Mobile Device Management etc., Also, the exposure to different attackers like internal, external, network or device access, black box/white box should be considered.
Having identified the threats, risk should be attached to each of the identified risks and risk prioritization should be done. The test cases should be written for all possible combinations for these identified risks.
Mobile Security Tools/Testing Tools:
There are many commercial tools available which protects your mobiles against anti-theft, antivirus, back-up essentials, blocking unwanted calls, parental controls, web-root analyses, SIM card locking. These tools are available to the end-users to protect their devices.
Still the mobile security testing tools area is emerging with tools which can comprehensively address the above mobile security threats. The tools which identify the vulnerabilities in the applications are quite good. The mobile security tester should find the appropriate tools to identify the vulnerability and write comprehensive test cases to address them in the mobile devices and applications.
It's Your Turn:
What do you Think? How to protect your mobile device with 360 degree Security, Share your insights in the comments box below. The next part of the content is coming next. ~~ Keep Following ~
