Mobile devices have become a major part of peoples’ lives. This 24/7 level of connectedness have many different impacts on our society. However, one that people don’t seem to pay much attention to are the impacts on personal privacy. After all, mobile phones are portable sensor suites, with more data collection mechanisms than you can name. At a minimum, they can know where you are (GPS), everything you say (microphone), and everything that you take pictures of. By using a mobile device, you’re trusting the manufacturer to not collect or abuse this data.
And even if you trust mobile phones, mobile applications are notorious for poor security. A common example is flashlight apps that secretly steal your data and send it to hackers, but this is only the tip of the iceberg. Even legitimate applications like reputable VPNs have been known to have application security issues that allow them to be hacked or eavesdropped upon.
Mobile phones and apps have become an integral part of the fabric of most peoples’ lives. So, what do we have to worry about?
Vulnerable Applications
Recent research has demonstrated that one major concern when using mobile apps is the security of the apps themselves. Even if you trust the app creator (they’re from a reputable company, many downloads, good reviews, etc.), it doesn’t mean that they’re secure.
An in-depth study of a few Android mobile apps painted a depressing picture of Android app security. Of the apps studied, 47% of them contained high-risk security vulnerabilities. The most common vulnerability (at 76% of the apps in question) was insecure data storage, where sensitive information (like PIN numbers, credit card data, etc.) was insecurely saved on the phone, increasing the probability of leakage.
However, the apps themselves are only half of the relationship. Web apps act as a client to a server hosted on the company’s network or in the cloud. This server is responsible for any heavy lifting in computation, secure data storage, etc. As a result, even if an app is “secure”, it can still be vulnerable to attack if the server or the client-server communications are insecure.
As part of the same study, the researchers examined the servers associated with each of the apps being studied. Of these servers, all of them were found to have some vulnerability that could affect the security of the app and its user. The details of the vulnerabilities varied from server to server, but many had a form of information leakage or the ability to take over a user’s session with the server (granting access to their account).
Bypassing Permissions
The study regarding application vulnerabilities made the assumption that the applications are benign but accidentally vulnerable to attack. However, not all applications play by the rules. Some Android apps have been found to deliberately ignore user preferences in order to illegally collect data. Android (and Apple) manages the powers granted to applications using a permissions-based model. All functionality that can be dangerous to the user has permissions associated with it that apps must explicitly request. The user is presented with these permission requests as they’re needed and can allow or deny access.
However, a recent study has discovered that thousands of Android apps deliberately circumvent these restrictions. This is accomplished by finding alternative means of the same information. One example is tracking the user’s location. Access to location is one of the permissions that users can deny to apps. However, there are multiple different sources for the same information.
One example of this is taking advantage of access to the user’s photo library. Photos commonly have a type of data called EXIF data that often includes information about where and when the picture was taken. If an app has access to the photos, they can read this data and find out where the phone was at certain times. If a user takes photos regularly (which many people do), this can be used as a means of tracking the user’s movements.
Another way that apps gain access to location information is by monitoring available Wi-Fi networks. Wi-Fi networks are often location-specific, so if an application can determine that you’re within range of a Wi-Fi network, they have a coarse idea of your location. Using multiple networks, it’s possible to triangulate and get a finer location.
For the data that doesn’t have an easy alternative means of collection, some apps will look for unsecured data from other applications. For example, if you give one app access to data and deny it to another, the other app may scan the phone’s SD card to see if the first app stored anything sensitive in an insecure fashion. The study found 168 apps with that capability, 13 of which were actively doing so.
Securing Your Mobile
Mobile devices are extremely convenient, but they can also be a significant threat to personal security. Whether they’re benign but insecure or actively working to circumvent permissions, the apps installed on a mobile device can be used to collect information about or attack their users. Before installing a mobile application, it’s important to consider whether it is actually necessary, and, if so, to lock it down to the minimum set of permissions that it needs to do its job and grant them on a case-by-case basis. Just because an app has a legitimate use for a permission one time doesn’t mean that it won’t abuse it later.