Thursday, March 28, 2024

Be aware Smarties – 40% of iOS and Android apps are Vulnerable to Hack

We all love to download new applications, especially when something – a game or any other app, like Faceapp – got the limelight or if we find our friends using any.

Though there’s nothing wrong with it, load as many apps as your PDA allows, but does all the apps are safe and sound, especially when it comes to your mobile security?

Our cellphones are more precious than any diamond in the world – not because they are expensive, but has all our most-sensitive data; my cellphone is more of me than my own self.  

Be it iPhone or Android; downloading apps has become just like calling vulnerabilities.

Yes, you heard it right! 

Apps we use are at a higher risk of having vulnerabilities than anyone previously thought. Over a third of Android and iOS apps have high-risk vulnerabilities; there are likely a few apps that are exposing our data to the real world.

If it’s just my user profile, then it’s ok, but if these apps harvest into my personal data, then I am sorry, I won’t take it easy.

I think nobody would be fine if any of their apps share their personal data to anyone.

Let’s quickly go through the study conducted.

Latest Vulnerabilities in mobile applications

Before jumping into horror stories, let me share with you some basics about mobile applications.

Last year, more than 205 billion mobile apps were downloaded, and the number will reach 250+ billion by 2022, while we spend 57% of total digital media time is spent on smartphones and tablets.

Can you recall what you’ve scrolled through yesterday in your PDA?

It must be an instant messaging app, online banking, mobile account management, business functions, and/or any social media account.

According to Juniper Research, users using mobile banking apps have reached two billion – 40 percent of the world’s adult population.

We know how developers painstakingly pay attention to software design to give us a smooth experience; we gladly install apps and provide our personal information too, but rarely stop and think about its security implications.

Experts regularly perform security analysis of different (often the most-used ones) mobile applications, here are some of the latest findings of their security assessment of iOS and Android apps.

  • High vulnerabilities were found in 38 percent for iOS and in 43 percent of Android applications.
  • Most cases are due to weaknesses in security mechanisms (74% and 57% for iOS and Android apps, and 42% for server-side components); such vulnerabilities creep in the design, fixing, or in the coding stage.
  • The most common issue is insecure data storage – found in 76 percent of mobile applications. Financial information, passwords, personal data, and correspondence are at high-risk.
  • Hackers seldom need physical access to steal data: 89 percent of vulnerabilities can be exploited with malware.
  • Many cyber attacks rely on our inattentions. Escalated privileges or sideloaded software help them finding the right way for a damaging attack.

Be it, developers or users, cyber threats are equally reachable; it means both client and server-side protection is needed to secure applications both on iOS and Android.

So, what can be done to prevent attacks? How to protect both ends?

Well, all comes down to awareness, education, and some preventive measures.

Prevent your iOS and Android from Application-based cyber attacks

For your convenience, I am breaking this section into parts – for Android and iOS developers and for users.

For Android developers

  • Use LocalBroadcastManager to send and receive messages not intended for third-party applications.
  • If the application accepts sensitive data such as financial information, or implement a custom keyboard, make sure the app should be secured enough to prevent attacks that manipulate the system keyboard.
  • Disable app from being backed up by tweaking the “android:allowBackup” to “false”

For iOS developers

  • If you need to use links for interaction among components, go for universal links.
  • To disable third-party keyboards within an application, implement the “shouldAllowExtensionPointIdentifier” method in the application’s UIApplicationDelegate.

Some measures for both the platforms

  • Modern devices use biometrics (Touch or Face ID) in applications. For this case, the PIN code is stored on the device. Local storage (sensitive data) should only be acceptable in special directories with encryption. iOS has Keychain and Android has a key vault – Keystore.
  • Use a special background image to mask sensitive data on the screen.
  • End the concept of sending one-time passwords twice in both SMS and push notifications instead use the password delivery method that should be selected by the user.
  • TRACE can also be used to bypass cookie protection using the httpOnly flag and disable the handling of TRACE requests.
  • Limits on authentication attempts must be practiced both on the server and the client-side.
  • Filter user-entered data on the server. Use HTML coding to deal with special characters.
  • Session lifetime should be limited. The session ID supposed to wiped-out from both on the client and the server-side. The server must create a new session for every time authentication is required.
  • To secure client-server communication, experts recommend certificate pinning – it is embedded directly in the code of the application, resultantly, the application becomes independent to the OS certificate store. This stops MITM attacks.

Some recommendations for users

  • Do not trust third-party app stores; suspicious software (like “cracked” or free versions of commercial applications); they often are malicious code carrier.
  • Do not connect your device to untrusted charging stations or PCs. Modern mobile OS versions asking the user to confirm trust. Never confirm trust if you are not sure about the security of the system to which you are connecting to.
  • Do not open links from unknown senders in messages and chats. Even if you know the person suggesting you an application, be vigilant.
  • Never accept requests for installation of third-party software on your beloved smartphone.
  • Update your OS and applications as soon as you receive any. If your device is rooted or jailbroken, it may not update automatically.
  • Avoid privileges escalation; don’t forget, rooting or jailbreaking a device disables protection mechanisms and opens up access to the device file system.
  • Your PIN code must be random (try a phrase, not a word). Do not use the date of birth, phone number, or ID number; better go with biometric (fingerprint, voice, or face) if your device supports it.
  • Be vigilant when apps request overly-broad access or data. If the requested permissions seem unreasonable, do not grant them.

Some Takeaways

Hackers love targeting newer platforms – mobile devices is the current hotbed, which is loaded with personal and payment card information.

The results of the study clearly reflecting that the developers of mobile applications often neglect security, insecure data storage, being the main issue.

On the other hand, users themselves are also unwittingly helping to compromise their devices by expanding their smartphone capabilities, opening suspicious links, disabling protection, and downloading software from unofficial platforms.

Securing user data requires a responsible attitude from both application developers and device owners.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles