Protecting Your Mobile Data: Advice from an Ethical Hacker
Face it: Your employees love their mobile applications. The average person uses 11 apps on their smartphones daily.
This lifestyle is the new normal, and most of your users download apps without a second thought. But they may want to give pause the next time they're installing one, as they could be leaving sensitive information open to malicious hackers.
In 2016, a staggering 90 billion apps were downloaded globally, allowing us to share files, network with peers, host meetings, manage our finances, pay bills, shop for clothes, get the latest news, track our fitness, order dinner, hail a car service - you get the idea, the list goes on. Apps are transforming how we interact and manage our lives both at home and in the office.
But they're also providing fresh opportunities for cybercriminals.
I'm continually surprised by the number of people who believe the apps they download are secure from a data protection and privacy perspective.
A good starting point is awareness. Here are a few mobile app security tips to help educate your employees about the risks to which they may exposing themselves and the company.
A warning bell should go off if a newly installed application, when launched, asks for access to your contacts list, location or permission to send SMS messages.
For instance, if you were installing a simple calculator app, why would it need access to your list of contacts?
I once performed a test of an app that would be used at an art installation. It allowed you to take photos of the QR codes next to the exhibits to learn more information. But the app required a curious array of permissions, such as reading SMS messages. Unsurprisingly, the app received poor reviews from users questioning the need for those permissions.
Like those users, you need to think about the type of permissions the app is requesting and you are granting. Sure, it's easy to zone out and just click "Yes" to everything, but don't let complacency and impatience put you at risk.
Almost all mobile apps will store data or files on your smartphone. This information can range from benign cached advertisements to highly sensitive data, such as your bank balance and credit card details. The more data that's stored locally on your smartphone, the more vulnerable it is.
Apps don't require permissions to store data, and there are several ways they can do it. If the app's code is flawed, it may store the sensitive data in such a way that it can also be read by another app on your device.
If you're an advanced user, it's possible to manually inspect your smartphone to see what data is being stored. But for most users, it's a matter of trusting that the app developer is using secure, encrypted data storage.
While not a magic bullet, one step you can take to lessen your risk is by only downloading apps from trusted sources, like a reputable app store.
Almost all apps - even offline games - communicate with a remote service or system. This may be to send and retrieve data, to log activity, or to allow it to communicate with other apps, such as messenger programs.
If sensitive data is not encrypted when it's transmitted, a man-in-the-middle attacker could intercept it, and record or modify it. Cybercriminals are increasingly setting up fake Wi-Fi hot spots to steal all sorts of information, including login credentials, confidential data and confidential documents. And even if the data transmission is encrypted, a skilled attacker can break weak cryptography.
Apps also could also be leaking your personal information to third parties. This is usually demographic data, such as age and gender, but it could also include your current location and other, more sensitive information. Leakage is generally by design, not accident.
The best defense against having your sensitive data intercepted is to only connect via trusted networks, such as your mobile carrier's 3G or 4G network, or your home Wi-Fi. Free public hotspots can easily be set up by attackers to gain access to your data.
If you're running an older version of an app, you're running a security risk. Hackers may have discovered and could be now exploiting vulnerabilities in the app that have been fixed in the latest version.
Keeping apps updated is simple, as reputable app stores offer automatic updates for users.
For iPhone users, go to your 'Settings,' then scroll down and select iTunes and App Store. You can then activate automatic downloads for Apps, Music, Books and Updates.
For Android users, open the Google Play Store app, tap the 'Menu' icon, choose 'Settings', and tap 'Auto-update apps.'
Application Provenance and Integrity
Just because an app is available via a trusted app store doesn't guarantee it is secure or malware-free. The approval processes are not infallible, and still both Apple and Google must deal with a deluge of fake or unsafe apps that poorly skilled developers or malicious hackers manage to slip by them. For example, Google recently removed apps that were downloaded millions of times by users, but contained malware that was able to sneak past built-in protection.
To help protect yourself, you should read reviews of apps. If the reviews grade the app poorly - or there are few to no reviews - ask yourself whether you should be using that app.
Meanwhile, third-party app stores are especially dicey. You could be getting a legitimate app or a malware-ridden app.
Again, download apps only from trusted sources. While you can trust your bank to supply a secure online banking app, perhaps not the game app developed by an unknown company asking for permission to track your position using your device's GPS.
Users have embraced mobile apps and usage is entrenched in our day-to-day lives. But there is a lot more work to do in improving the security of mobile apps as well as the mobile devices that run them. Hopefully, highlighting some of the issues will help increase your awareness and lessen your risk.
David Jorm is the Trustwave SpiderLabs APAC practice lead.