Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Protecting Your Mobile Data: Advice from an Ethical Hacker

Face it: Your employees love their mobile applications. The average person uses 11 apps on their smartphones daily.

This lifestyle is the new normal, and most of your users download apps without a second thought. But they may want to give pause the next time they're installing one, as they could be leaving sensitive information open to malicious hackers.

In 2016, a staggering 90 billion apps were downloaded globally, allowing us to share files, network with peers, host meetings, manage our finances, pay bills, shop for clothes, get the latest news, track our fitness, order dinner, hail a car service - you get the idea, the list goes on. Apps are transforming how we interact and manage our lives both at home and in the office.

But they're also providing fresh opportunities for cybercriminals.

I'm continually surprised by the number of people who believe the apps they download are secure from a data protection and privacy perspective.

A good starting point is awareness. Here are a few mobile app security tips to help educate your employees about the risks to which they may exposing themselves and the company.



A warning bell should go off if a newly installed application, when launched, asks for access to your contacts list, location or permission to send SMS messages.

For instance, if you were installing a simple calculator app, why would it need access to your list of contacts?


I once performed a test of an app that would be used at an art installation. It allowed you to take photos of the QR codes next to the exhibits to learn more information. But the app required a curious array of permissions, such as reading SMS messages. Unsurprisingly, the app received poor reviews from users questioning the need for those permissions.

Like those users, you need to think about the type of permissions the app is requesting and you are granting. Sure, it's easy to zone out and just click "Yes" to everything, but don't let complacency and impatience put you at risk.


Data Storage

Almost all mobile apps will store data or files on your smartphone. This information can range from benign cached advertisements to highly sensitive data, such as your bank balance and credit card details. The more data that's stored locally on your smartphone, the more vulnerable it is.

Apps don't require permissions to store data, and there are several ways they can do it. If the app's code is flawed, it may store the sensitive data in such a way that it can also be read by another app on your device.

If you're an advanced user, it's possible to manually inspect your smartphone to see what data is being stored. But for most users, it's a matter of trusting that the app developer is using secure, encrypted data storage.

While not a magic bullet, one step you can take to lessen your risk is by only downloading apps from trusted sources, like a reputable app store.


Data Transmission

Almost all apps - even offline games - communicate with a remote service or system. This may be to send and retrieve data, to log activity, or to allow it to communicate with other apps, such as messenger programs.

If sensitive data is not encrypted when it's transmitted, a man-in-the-middle attacker could intercept it, and record or modify it. Cybercriminals are increasingly setting up fake Wi-Fi hot spots to steal all sorts of information, including login credentials, confidential data and confidential documents. And even if the data transmission is encrypted, a skilled attacker can break weak cryptography.

Apps also could also be leaking your personal information to third parties. This is usually demographic data, such as age and gender, but it could also include your current location and other, more sensitive information. Leakage is generally by design, not accident.

The best defense against having your sensitive data intercepted is to only connect via trusted networks, such as your mobile carrier's 3G or 4G network, or your home Wi-Fi. Free public hotspots can easily be set up by attackers to gain access to your data.


Outdated Apps

If you're running an older version of an app, you're running a security risk. Hackers may have discovered and could be now exploiting vulnerabilities in the app that have been fixed in the latest version.

Keeping apps updated is simple, as reputable app stores offer automatic updates for users.

For iPhone users, go to your 'Settings,' then scroll down and select iTunes and App Store. You can then activate automatic downloads for Apps, Music, Books and Updates.

For Android users, open the Google Play Store app, tap the 'Menu' icon, choose 'Settings', and tap 'Auto-update apps.'


Application Provenance and Integrity

Just because an app is available via a trusted app store doesn't guarantee it is secure or malware-free. The approval processes are not infallible, and still both Apple and Google must deal with a deluge of fake or unsafe apps that poorly skilled developers or malicious hackers manage to slip by them. For example, Google recently removed apps that were downloaded millions of times by users, but contained malware that was able to sneak past built-in protection.

To help protect yourself, you should read reviews of apps. If the reviews grade the app poorly - or there are few to no reviews - ask yourself whether you should be using that app.

Meanwhile, third-party app stores are especially dicey. You could be getting a legitimate app or a malware-ridden app.

Again, download apps only from trusted sources. While you can trust your bank to supply a secure online banking app, perhaps not the game app developed by an unknown company asking for permission to track your position using your device's GPS.



Users have embraced mobile apps and usage is entrenched in our day-to-day lives. But there is a lot more work to do in improving the security of mobile apps as well as the mobile devices that run them. Hopefully, highlighting some of the issues will help increase your awareness and lessen your risk.

David Jorm is the Trustwave SpiderLabs APAC practice lead.

Latest Trustwave Blogs

Trustwave Webinar: Getting Started with Microsoft Copilot for Security

As a Microsoft security partner, Trustwave has committed itself to helping clients get the most out of their Microsoft E5 license, including properly setting up one of E5's primary features -...

Read More

Think Pink

There are some people who say, "I already conduct red team exercises, why would I need something different that is nothing more than a watered-down red team?"

Read More

Unlock Zero Trust: Why Database Security is the Missing Piece

As organizations consider their journey to establishing a strong Zero Trust culture, they must adopt a data-centric approach, and this begins with ensuring database security.

Read More