Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Protecting Your Mobile Data: Advice from an Ethical Hacker

Face it: Your employees love their mobile applications. The average person uses 11 apps on their smartphones daily.

This lifestyle is the new normal, and most of your users download apps without a second thought. But they may want to give pause the next time they're installing one, as they could be leaving sensitive information open to malicious hackers.

In 2016, a staggering 90 billion apps were downloaded globally, allowing us to share files, network with peers, host meetings, manage our finances, pay bills, shop for clothes, get the latest news, track our fitness, order dinner, hail a car service - you get the idea, the list goes on. Apps are transforming how we interact and manage our lives both at home and in the office.

But they're also providing fresh opportunities for cybercriminals.

I'm continually surprised by the number of people who believe the apps they download are secure from a data protection and privacy perspective.

A good starting point is awareness. Here are a few mobile app security tips to help educate your employees about the risks to which they may exposing themselves and the company.



A warning bell should go off if a newly installed application, when launched, asks for access to your contacts list, location or permission to send SMS messages.

For instance, if you were installing a simple calculator app, why would it need access to your list of contacts?


I once performed a test of an app that would be used at an art installation. It allowed you to take photos of the QR codes next to the exhibits to learn more information. But the app required a curious array of permissions, such as reading SMS messages. Unsurprisingly, the app received poor reviews from users questioning the need for those permissions.

Like those users, you need to think about the type of permissions the app is requesting and you are granting. Sure, it's easy to zone out and just click "Yes" to everything, but don't let complacency and impatience put you at risk.


Data Storage

Almost all mobile apps will store data or files on your smartphone. This information can range from benign cached advertisements to highly sensitive data, such as your bank balance and credit card details. The more data that's stored locally on your smartphone, the more vulnerable it is.

Apps don't require permissions to store data, and there are several ways they can do it. If the app's code is flawed, it may store the sensitive data in such a way that it can also be read by another app on your device.

If you're an advanced user, it's possible to manually inspect your smartphone to see what data is being stored. But for most users, it's a matter of trusting that the app developer is using secure, encrypted data storage.

While not a magic bullet, one step you can take to lessen your risk is by only downloading apps from trusted sources, like a reputable app store.


Data Transmission

Almost all apps - even offline games - communicate with a remote service or system. This may be to send and retrieve data, to log activity, or to allow it to communicate with other apps, such as messenger programs.

If sensitive data is not encrypted when it's transmitted, a man-in-the-middle attacker could intercept it, and record or modify it. Cybercriminals are increasingly setting up fake Wi-Fi hot spots to steal all sorts of information, including login credentials, confidential data and confidential documents. And even if the data transmission is encrypted, a skilled attacker can break weak cryptography.

Apps also could also be leaking your personal information to third parties. This is usually demographic data, such as age and gender, but it could also include your current location and other, more sensitive information. Leakage is generally by design, not accident.

The best defense against having your sensitive data intercepted is to only connect via trusted networks, such as your mobile carrier's 3G or 4G network, or your home Wi-Fi. Free public hotspots can easily be set up by attackers to gain access to your data.


Outdated Apps

If you're running an older version of an app, you're running a security risk. Hackers may have discovered and could be now exploiting vulnerabilities in the app that have been fixed in the latest version.

Keeping apps updated is simple, as reputable app stores offer automatic updates for users.

For iPhone users, go to your 'Settings,' then scroll down and select iTunes and App Store. You can then activate automatic downloads for Apps, Music, Books and Updates.

For Android users, open the Google Play Store app, tap the 'Menu' icon, choose 'Settings', and tap 'Auto-update apps.'


Application Provenance and Integrity

Just because an app is available via a trusted app store doesn't guarantee it is secure or malware-free. The approval processes are not infallible, and still both Apple and Google must deal with a deluge of fake or unsafe apps that poorly skilled developers or malicious hackers manage to slip by them. For example, Google recently removed apps that were downloaded millions of times by users, but contained malware that was able to sneak past built-in protection.

To help protect yourself, you should read reviews of apps. If the reviews grade the app poorly - or there are few to no reviews - ask yourself whether you should be using that app.

Meanwhile, third-party app stores are especially dicey. You could be getting a legitimate app or a malware-ridden app.

Again, download apps only from trusted sources. While you can trust your bank to supply a secure online banking app, perhaps not the game app developed by an unknown company asking for permission to track your position using your device's GPS.



Users have embraced mobile apps and usage is entrenched in our day-to-day lives. But there is a lot more work to do in improving the security of mobile apps as well as the mobile devices that run them. Hopefully, highlighting some of the issues will help increase your awareness and lessen your risk.

David Jorm is the Trustwave SpiderLabs APAC practice lead.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More