Friday, April 19, 2024

Be aware Smarties – 40% of iOS and Android apps are Vulnerable to Hack

By GBHackers on Security

iOS and Android apps

We all love to download new applications, especially when something – a game or any other app, like Faceapp – got the limelight or if we find our friends using any.

Though there’s nothing wrong with it, load as many apps as your PDA allows, but does all the apps are safe and sound, especially when it comes to your mobile security?

Our cellphones are more precious than any diamond in the world – not because they are expensive, but has all our most-sensitive data; my cellphone is more of me than my own self.  

Be it iPhone or Android; downloading apps has become just like calling vulnerabilities.

Yes, you heard it right! 

Apps we use are at a higher risk of having vulnerabilities than anyone previously thought. Over a third of Android and iOS apps have high-risk vulnerabilities; there are likely a few apps that are exposing our data to the real world.

If it’s just my user profile, then it’s ok, but if these apps harvest into my personal data, then I am sorry, I won’t take it easy.

I think nobody would be fine if any of their apps share their personal data to anyone.

Let’s quickly go through the study conducted.

Latest Vulnerabilities in mobile applications

Before jumping into horror stories, let me share with you some basics about mobile applications.

Last year, more than 205 billion mobile apps were downloaded, and the number will reach 250+ billion by 2022, while we spend 57% of total digital media time is spent on smartphones and tablets.

Can you recall what you’ve scrolled through yesterday in your PDA?

It must be an instant messaging app, online banking, mobile account management, business functions, and/or any social media account.

According to Juniper Research, users using mobile banking apps have reached two billion – 40 percent of the world’s adult population.

We know how developers painstakingly pay attention to software design to give us a smooth experience; we gladly install apps and provide our personal information too, but rarely stop and think about its security implications.

Experts regularly perform security analysis of different (often the most-used ones) mobile applications, here are some of the latest findings of their security assessment of iOS and Android apps.

  • High vulnerabilities were found in 38 percent for iOS and in 43 percent of Android applications.
  • Most cases are due to weaknesses in security mechanisms (74% and 57% for iOS and Android apps, and 42% for server-side components); such vulnerabilities creep in the design, fixing, or in the coding stage.
  • The most common issue is insecure data storage – found in 76 percent of mobile applications. Financial information, passwords, personal data, and correspondence are at high-risk.
  • Hackers seldom need physical access to steal data: 89 percent of vulnerabilities can be exploited with malware.
  • Many cyber attacks rely on our inattentions. Escalated privileges or sideloaded software help them finding the right way for a damaging attack.

Be it, developers or users, cyber threats are equally reachable; it means both client and server-side protection is needed to secure applications both on iOS and Android.

So, what can be done to prevent attacks? How to protect both ends?

Well, all comes down to awareness, education, and some preventive measures.

Prevent your iOS and Android from Application-based cyber attacks

For your convenience, I am breaking this section into parts – for Android and iOS developers and for users.

For Android developers

  • Use LocalBroadcastManager to send and receive messages not intended for third-party applications.
  • If the application accepts sensitive data such as financial information, or implement a custom keyboard, make sure the app should be secured enough to prevent attacks that manipulate the system keyboard.
  • Disable app from being backed up by tweaking the “android:allowBackup” to “false”

For iOS developers

  • If you need to use links for interaction among components, go for universal links.
  • To disable third-party keyboards within an application, implement the “shouldAllowExtensionPointIdentifier” method in the application’s UIApplicationDelegate.

Some measures for both the platforms

  • Modern devices use biometrics (Touch or Face ID) in applications. For this case, the PIN code is stored on the device. Local storage (sensitive data) should only be acceptable in special directories with encryption. iOS has Keychain and Android has a key vault – Keystore.
  • Use a special background image to mask sensitive data on the screen.
  • End the concept of sending one-time passwords twice in both SMS and push notifications instead use the password delivery method that should be selected by the user.
  • TRACE can also be used to bypass cookie protection using the httpOnly flag and disable the handling of TRACE requests.
  • Limits on authentication attempts must be practiced both on the server and the client-side.
  • Filter user-entered data on the server. Use HTML coding to deal with special characters.
  • Session lifetime should be limited. The session ID supposed to wiped-out from both on the client and the server-side. The server must create a new session for every time authentication is required.
  • To secure client-server communication, experts recommend certificate pinning – it is embedded directly in the code of the application, resultantly, the application becomes independent to the OS certificate store. This stops MITM attacks.

Some recommendations for users

  • Do not trust third-party app stores; suspicious software (like “cracked” or free versions of commercial applications); they often are malicious code carrier.
  • Do not connect your device to untrusted charging stations or PCs. Modern mobile OS versions asking the user to confirm trust. Never confirm trust if you are not sure about the security of the system to which you are connecting to.
  • Do not open links from unknown senders in messages and chats. Even if you know the person suggesting you an application, be vigilant.
  • Never accept requests for installation of third-party software on your beloved smartphone.
  • Update your OS and applications as soon as you receive any. If your device is rooted or jailbroken, it may not update automatically.
  • Avoid privileges escalation; don’t forget, rooting or jailbreaking a device disables protection mechanisms and opens up access to the device file system.
  • Your PIN code must be random (try a phrase, not a word). Do not use the date of birth, phone number, or ID number; better go with biometric (fingerprint, voice, or face) if your device supports it.
  • Be vigilant when apps request overly-broad access or data. If the requested permissions seem unreasonable, do not grant them.

Some Takeaways

Hackers love targeting newer platforms – mobile devices is the current hotbed, which is loaded with personal and payment card information.

The results of the study clearly reflecting that the developers of mobile applications often neglect security, insecure data storage, being the main issue.

On the other hand, users themselves are also unwittingly helping to compromise their devices by expanding their smartphone capabilities, opening suspicious links, disabling protection, and downloading software from unofficial platforms.

Securing user data requires a responsible attitude from both application developers and device owners.

Managed WAF Protection

Website

Latest articles

Uncategorized

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...
Vulnerability

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...
Cyber Attack

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...
Cyber Attack

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...
Android

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...
cyber security

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...
Cisco

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
GBHackers on Security
GBHackers on Security

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]