CHAPTER 4

4.0 MOBILE VULNERABILITIES

4.1 Understand vulnerabilities, threats and attacks.
4.1.1 Identify mobile phone vulnerabilities, threats and attacks.
4.1.2 Identify mobile network infrastructure threat vector and attack
4.1.3 Explain mobile device security challenges.
4.2 Understand vulnerabilities in mobile computing
4.2.1 Identify vulnerabilities in:
a. Wireless communications infrastructure
b. Mobile device
c. Access mobile platform
d. Mobile application
4.2.2 Explain vulnerability analysis of the wireless communication
4.2.3 Describe mobile device vulnerabilities
a. Trojan horse
b. Botnet
c. Worm
d. Root kit
4.2.4 Describe the following weaknesses in relation to security vulnerabilities:
a. Technology
b. Configuration
c. security policy

4.3 Understand threat and threats vectors in mobile computing

4.3.1 Identify threat and threats vectors
4.3.2 Describe different types of threats:
a. unstructured threats
b. structured threats
c. external threats
d. internal threats
4.3.3 Identify mobile infrastructure threats
4.3.4 Identify threats of Mobile Operating System

4.3.5 Describe threat vector scenarios in:

a. Wireless communications infrastructure
b. Mobile device
c. Mobile platform
d. Mobile application
4.3.6 Explain threat analysis and countermeasures of the wireless communication
4.3.7 Describe mobile device threats
a. Physical
b. Web-based
c. Network-based
d. Application-based
4.3.8 Identify type of Malware in mobile device
a. Trojan-related malware

4.4 Understand attack in mobile computing

4.4.1 Identify typical attacks in mobile environments
a. Class of Illicit Use Attacks
b. Wireless Spoofing
 c. Man-in-the-Middle Attacks
d. Denial of Service Attacks.
4.4.2 Identify distributed DoS Attacks in Mobile Communications.
a. Targeted Environments
b. Defending against DDoS Attacks
4.4.3 Describe attack scenarios
a. Wireless communications infrastructure
b. Mobile device
c. Mobile Platform
d. Mobile application

4.1 Understand vulnerabilities, threats and attacks.

Introduction to Vulnerabilities, Threats, and Attacks

When discussing network security, the three common terms used are as follows:
 Vulnerability—A weakness that is inherent in every network and device. This includes routers,
switches, desktops, servers, and even security devices themselves.

 Threats—The people eager, willing, and qualified to take advantage of each security weakness,
and they continually search for new exploits and weaknesses.

 Attacks—The threats use a variety of tools, scripts, and programs to launch attacks against
networks and network devices. Typically, the network devices under attack are the endpoints,
such as servers and desktops.

Vulnerabilities
The vulnerabilities are present in the network and individual devices that make up the network.
Networks are typically plagued by one or all of three primary vulnerabilities or weaknesses:
■ Technology weaknesses
■ Configuration weaknesses
■ Security policy weaknesses

Technological Weaknesses
Computer and network technologies have intrinsic security weaknesses. These include TCP/IP
protocol weaknesses, operating system weaknesses, and network equipment weaknesses.
Table 4-1: Describes these three weaknesses.

1
 Weakness
TCP/IP protocol weaknesses
Operating system weaknesses
Network equipment weaknesses
Configuration Weaknesses
Network administrators or network engineers need to learn what the configuration weaknesses
are and correctly configure their computing and network devices to compensate. Table 4-2 lists
some common configuration weaknesses.
Table 4-2 Configuration Weaknesses
Weakness
Unsecured user accounts
System accounts with easily
guessed passwords
Misconfigured
Internet services
Unsecured default settings
within products
Misconfigured
network equipment
How the Weakness Is Exploited
HTTP, FTP, and ICMP are inherently insecure.
Simple Network Management Protocol (SNMP), Simple
Mail Transfer Protocol (SMTP), and SYN floods are related
to the inherently insecure structure upon which TCP was
designed.
The UNIX, Linux, Macintosh, Windows NT, 9x, 2K, XP,
and OS/2 operating systems all have security problems that
must be addressed.
These are documented in the CERT archives at
http://www.cert.org.
Various types of network equipment, such as routers, firewalls,
and switches, have security weaknesses that must be
recognized and protected against. These weaknesses include
the following:
Password protection
Lack of authentication
Routing protocols
Firewall holes
How the Weakness Is Exploited
User account information might be transmitted insecurely
across the network, exposing usernames and passwords to
snoopers.
This common problem is the result of poorly selected and
easily guessed user passwords.
A common problem is to turn on JavaScript in web browsers,
enabling attacks by way of hostile JavaScript when accessing
untrusted sites. IIS, Apache, FTP, and Terminal Services also
pose problems.
Many products have default settings that enable security holes.
Misconfigurations of the equipment itself can cause significant
security problems. For example, misconfigured access lists,
routing protocols, or SNMP community strings can open up
large security holes. Misconfigured or lack of encryption and
remote-access controls can also cause significant security
issues, as can the practice of leaving ports open on a switch
(which could allow the introduction of noncompany computing
equipment).
2
Security Policy Weaknesses
Security policy weaknesses can create unforeseen security threats. The network can pose security
risks to the network if users do not follow the security policy. Table 4-3 lists some common
security policy weaknesses and how those weaknesses are exploited.

Weakness How the Weakness Is Exploited

Lack of written
security policy
Politics
Lack of continuity.
Software and hardware
installation and changes
do not follow policy.
Disaster recovery plan
nonexistent.
An unwritten policy cannot be consistently applied or enforced.
Political battles and turf wars can make it difficult to implement
a consistent security policy.
Poorly chosen, easily cracked, or default passwords can allow
unauthorized access to the network.
Unauthorized changes to the network topology or installation of
unapproved applications create security holes.
The lack of a disaster recovery plan allows chaos, panic, and is
confusion to occur when someone attacks the enterprise.

4.3.1 Identify threat and threats vectors

Threats
There are four primary classes of threats to network security
i. Unstructured threats:
a. Unstructured threats consist of mostly inexperienced individuals using easily available hacking
tools such as shell scripts and password crackers.
b. Even unstructured threats that are only executed with the intent of testing and challenging a
hacker’s skills can still do serious damage to a company.
ii. Structured threats:
a. Structured threats come from hackers who are more highly motivated and technically competent.
b. These people know system vulnerabilities and can understand and develop exploit code and
scripts.
c. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting
businesses. These groups are often involved with the major fraud and theft cases reported to law
enforcement agencies.
iii. External threats:
a. External threats can arise from individuals or organizations working outside of a company. They
do not have authorized access to the computer systems or network.

3
 b. They work their way into a network mainly from the Internet or dialup access servers.
iv. Internal threats:
a. Internal threats occur when someone has authorized access to the network with either an account
on a server or physical access to the network.
b. According to the FBI, internal access and misuse account for 60 percent to 80 percent of reported
incidents.

Threat Vectors
Threat vectors are the routes that malicious attacks may take to get past your defenses and infect your
network. We will be talking about six threat vectors in particular:
1. Network – The perimeter of your network, usually protected by something like a firewall.
2. User – Attackers often use social engineering and social networking to gather information and
trick users into opening a pathway for an attack into a network.
3. Email – Phishing attacks and malicious attachments target the email threat vector.
4. Web Application – SQL Injection and Cross-Site Scripting are just two of the many attacks that
take advantage of an inadequately protected Web Application threat vector.
5. Remote Access – A corporate device using an can be compromised and passed on to the
corporate network. unsecured wireless hotspot
6. Mobile – Smart phones, tablets, and other mobile devices can be used as devices to pass malware
and other attacks on to the corporate network. Additionally, mobile malware may be used to steal
useful data from the mobile device.
4.4 Understand attack in mobile computing

Attacks
Basic attacks can be classified into four major classes, namely:-
1. The Illicit Use
2. The Wireless Spoofing
3. The Man-In-The-Middle Attacks
4. The Denial Of Service Attacks.
A description of the features of the typical attacks is given as follows.
1. Illicit use attacks
WHAT?
 Passive attacks
 Does not cause damage to the physical network
 An attacker placed close to BS and gets illicit information from the traffic it can listen to

HOW?
i. Wireless network sniffling
Passive scanning - listening to each wireless communication channel and copying using
4
 tools such as radio frequency monitor
Identity detection - retrieving the identity of the BS
MAC address collection – To construct spoofed frames, the attacker has
to use legitimate MAC addresses.

ii. Network Discovery

- attacker listen to all channel for all wireless packets

iii. Inspection
-Attacker identify IP address ranges, gateways using tools

2. Wireless Spoofing
WHAT?
Modify identification parameters in data packet for different purposes.

HOW?
 Mac address spoofing: Changing the attacker’s Mac address by a legitimate Mac
address
 IP Spoofing: change the source or destination IP address by talking directly with the
network device
 Frame spoofing: Injects frames with spoofed content. Usually applied in networks with
lacks authentications

3. Man-in-the-middle attacks
WHAT?
insert the attacker in the middle of a communication for purposes of intercepting client’s data
and modifying them before discarding them out to the real destination

HOW?
 Create a difficult to connect scenarios
 set up an alternate rogue AP with the same credentials as the original so that the client will
connect to it.
 The MITM eavesdropping the radio wave on the wireless network using sensitive antenna.
 They receive the victim’s data and then retransmit the data after changing it

Example

5
 In the image above, you will notice that the attacker inserted him/herself in-between the flow of
traffic between client and server. Now that the attacker has intruded into the communication
between the two endpoints, he/she can inject false information and intercept the data transferred
between them.
4. Denial Of Service Attacks (DOS)

WHAT?
 Aims at denying or degrading the quality of a legitimate user’s access to a service or
network resource.
 Can bring down the server and the service the server provided

HOW?
 Disabling services attaces: DOS attacker makes use of implementation weakness to
disable service supply.
 Resource undermining: Undermining can be achieved by causing expensive
computations, storage of state information, resource reservations, or high traffic load.

WIRELESS COMMUNICATION INFRASTRUCTURE VULNERABILITIES

 Most of the existing vulnerabilities in the wireless networks are caused by the medium.
 Because transmissions are broadcast, they are easily available to anyone who can
listen to them.
WLAN Vulnerabilities
The following represent the typical vulnerabilities witnessed at the main component
of WLAN, namely the access point (AP).

 The easy installation and use of an AP.

This vulnerability allows any individual to introduce an unauthorized wireless network in
unauthorized areas. The easy installation and configuration of the AP make this feasible for
legitimate or illegitimate users.

 The AP configuration.

6
 If the AP is poorly configured or unauthorized, then it can provide an open door to attackers.
This is caused by using a default configuration that annihilates the security controls and
encryption mechanisms that the AP is able to provide in normal use.

 Physical security of an authorized AP.

Because most APs are deployed by default, their placement and ease of access are critical. An AP
has to be correctly placed and physically protected in order to avoid accidental damage (made, for
example, by a direct access to the physical cable attaching the AP). Many solutions were
proposed to physically protect the access to the AP, but all of them require a mandatory policy.

 Signal range of an authorized AP.

This vulnerability is characterized by the possibility that the AP signal strength extends beyond a
given perimeter (the perimeter of a building, for example). Consequently, the AP’s placement and
the signal strength have to be closely studied to make sure that the transmitting coverage of the
AP is just enough to cover the required area and does not extend out of this area.

 Rogue AP. This vulnerability allows an attacker to place an unauthorized (or rogue) AP on the
network area and configure it to look legitimate to the network users to gain access to a wireless
user’s sensitive data. The vulnerability is represented by the criteria of AP selection implemented
within the mobile stations. Indeed, the user’s devices need to be connected to the strongest
available AP signal.

 Protocol weaknesses and capacity limits on authorized APs.

These vulnerabilities can cause Denial of Service attacks (DoS) from malicious users utilizing
unauthorized APs when they can flood authorized AP with traffic forcing them to reboot or deny
accesses.
Cellular System Vulnerabilities
Vulnerabilities and threats commonly observed in cellular communication systems
contain the following four major categories:

 Service interruption vulnerabilities:

The increased capacity offered by the high-speed communication technologies has resulted in the
reduction of cable routes necessary to meet traffic capacity requirements. Consequently, this has
decreased the number of switches and enhanced their capacities, and increased the vulnerability
of telecommunication infrastructures.

 Handset vulnerabilities:
Unlike computer systems, handsets are limited regarding the security features. The
implementation of security mechanisms can present some weaknesses allowing attackers to
launch successful attacks.

 Radio link protection-only vulnerability:

Because wireless messages travel through the air, between the handset and the access node, for
transmission to the receiver, messages may need to be changed to another protocol. Such change
can be done at a gateway, for example, to allow a wireless transport layer security (WTLS)
message to be changed to a secure socket layer (SSL) message. This operation presents some

7
 vulnerability, because anyone may attempt to access the network at this moment and get the
message during transformation.

WIRELESS COMMUNICATION INFRASTRUCTURE THREATS VECTORS AND ATTACK

SCENARIOS

Particular threats of the wireless communication are :

i. device theft
ii. malicious hacker
iii. malicious code
iv. and theft of service

Three groups of threats can be characterized:

1. the application-based threats
2. the content-based threats
3. and the mixed threats.

Application-Based Threats
Application-based threats are roughly posed by executable malicious codes that are inserted into existing
or new wireless applications. They are potentially present anytime a software program is downloaded to
(or executed) on a wireless terminal. This is particularly true when the program is downloaded or received
from an unknown source. These threats are equivalent to the earliest type of computer viruses that
attacked executable programs.

The first malicious application-based program that specifically targeted the operating system used in
personal digital assistants (PDAs) was called the Liberty Crack. The free software, which could be
downloaded from a Web site or accessed via Internet relay chat rooms, pretended to convert the
shareware specific game program into a registered version. When the program is executing, the user
cannot see that the program is simply deleting all executable applications in the handheld device.
Fortunately, Liberty Crack did not affect the underlying operating system of the embedded applications.

Content-Based Threats
In content-based threats, the content is the threat (e.g., derogatory messages) or the malicious use of the
content is the threat (e.g., spamming of email). Networks have been known to crash under the weight of
spam attacks. While email is one of the key features of the wireless world, email is also one among the
most vulnerable to attacks. Hence, the most common content-based threats to the wireless
infrastructure occurred through infected email or spam mail. The first contentbased threat against wireless
devices occurred in June 2000 with the so-called Visual Basic Script (VBS). The related attack
proliferates by sending infected email messages from affected computers. When an infected email reaches
a PC, it uses Microsoft Outlook to send a copy of itself via infected emails to all addresses in the
MS Outlook address book.

Although the program reached out into the wireless world, it was benign and caused little damage because
it propagated via PCs and emails, not directly from mobile phone to mobile phone. Nevertheless, the
attack demonstrated the ability of a malicious code to hit the wireless infrastructure and spread with a
considerable speed. The attack has shown the potential to flood the wireless network with messages,
reducing its performance or even reducing its ability to meet expected load. Worse, it has demonstrated
its ability to impact the billing features. In fact, wireless users billed on a per-message basis may need to
support the most of receiving spams.
8
Mixed Application Threats
The third type of threat offers a greater potential for damage than the previous two types of known
threats. While still considered to be theoretical, a mixed application threat would integrate techniques
from content-based and application-based threats. Considerable damages can be achieved by such threats.
For example, an attack could involve the unwitting download of a sophisticated malicious code
attached to a shareware program that deletes wireless device applications and propagates itself rapidly
across the wireless infrastructure via address books of email. This attack can cause damage to any mobile
station it visits, and spreads across very large areas over a limited period of time.

It will be shown in the sequel that some mixed attacks have been created (with Nimda.A, for example)
that replicate and spread rapidly. Consequently, it appears that some type of highly destructive and
rapidly spreading wireless mixed threats will inevitably surface and that an adequate comprehensive
wireless infrastructure protection against it is needed.
Nowadays, cellular phones are used almost exclusively for voice communication. However, cellular
communication technology is already merging with the platform-independent programming models and
new technologies such as Bluetooth. In a near future, cell phones will be able to send and receive data and
applications, directly to another wireless device cell phone. Unfortunately, this expected wireless
environment is unlikely to come without the price of increasingly sophisticated wireless mixed threats
utilizing high capabilities of connectivity, functionality, and speed.

MOBILE MALWARE
Malware (or Malicious Software) can be any malicious, unauthorized, or unexpected program (or code)
that aims at realizing unauthorized actions on a computer, network components, or a mobile terminal.

Some examples of the actions a malware can perform include spying on wireless traffic, recording private
communications, stealing and distributing private and confidential information, disabling computers, and
erasing files.

Malware can be divided into eight different categories:

1. Worms:
A worm is a program that makes copies of itself (by various means including copying itself using
email or another transport mechanism). A worm may damage and/or compromise the security of the
visited (or infected) computer by executing special actions.

2. Zombies:
A zombie is a program that secretly takes over another Internet-attached computer and then uses that
computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies can be used to
launch denial of service attacks, typically against targeted Web sites. The zombies can be installed on
hundreds of computers belonging to unsuspecting third parties. They are then used synchronously to
overloading the victim target by launching an overwhelming onslaught of Internet traffic.

3. Viruses:
A virus is a sequence of code that is inserted into another executable code, so that when the regular
program is run, the viral code is also executed. The viral code causes a copy of itself to be inserted in
one or more than one program. Viruses are not distinct programs; they cannot run on their own and
need to have some hot program, of which they are a part, executed to activate them.

9
4. Trojan Horses:
A Trojan is a malware that performs unauthorized, often malicious, actions. The main difference
between a Trojan and a virus is the inability to replicate itself. Like a virus, a Trojan can cause amage
or an unexpected system behavior, and can compromise the security of the visited systems; but,
unlike viruses, it does not replicate. A Trojan looks like any normal program, but it has some hidden
malicious code within it. Often, a Trojans is composed of two parts, a client part and a server part.
When a victim executes a Trojan server on his machine, the attacker then uses the client part of that
Trojan to connect to the server and start using it based on TCP or UDP, for example. When a Trojan
server runs on a victim’s computer, it (often) tries to hide somewhere on the computer; it then starts
listening for incoming connections from the attacker on one or more ports; then attempts to modify
the system registry or use some other auto-starting method. Most Trojans use an auto-starting method
that allows them to restart and grant an attacker access to the infected machine.

5. Logic Bombs:
A logic bomb is a programming code inserted secretly or intentionally. The bomb is designed to
execute (or explode) under special circumstances, such as the amount of time elapsed since an event
has occurred. It is in effect a delayed-action computer virus or Trojan. A logic bomb may be designed
to display a fake message, delete data, corrupt data, or have other undesirable effects, when executed.

6. Trap Doors:
A trap door, sometimes called back door, is a secret entry point into a program that allows someone
that is aware of the trapdoor to gain access without going through the usual security access
procedures. The difference between a trap door and a Remote Access Trojan (RAT) is that the trap
door only opens a port, often with a shell. The RAT is designed with a client-server architecture.

7. Phishing Scam (PS):

A PS is a fraudulent Web page, an email, or a text message that attracts the unsuspecting users to
reveal sensitive information such as passwords, financial details, or other private data.

8. Spyware:
A spyware is a software that reveals private information about the mobile user or its computer system
to eavesdroppers.

A short list of the actions that a mobile virus can do includes, but is not limited to, the following actions:
 Block memory cards;
 Combat antivirus programs;
 Infect personal files;
 Modify icons and system applications;
 Install “false” or non-operational fonts, applications, and malicious programs; and
 Steal data and send messages to other users.

Examples of Mobile Malware

 Cabir:
Cabir is a worm. It was the first identified malware for cellular phones.
It uses Bluetooth to infect the phones and to transfer itself to a new host as a file.
Two new versions of Cabir worm, namely Cabir.H and Cabir.I, have been created.
They are able to search for (and find) new mobile targets. They spread faster between mobile
phones using a specially formatted Symbian Installation System (SIS) file.

10
  Cardtrap.A:
This Trojan has the capacity to infect computers when users transfer data from their infected
mobile phones to computers.
It may have a built-in mechanism that places several worms on a mobile device’s memory card
with the final objective of infecting a computer.

 Commwarrior:
This is the first worm to spread via MMS. Like Cabir, it can spread via Bluetooth.
MMS is the main method used, making Comwar potentially extremely dangerous, since
Bluetooth operates within a distance of about 15 meters and any device can be infected if it is
within this range. MMS has no boundaries and can be instantly sent even to handsets in other
sites.

 MetalGear:
This Trojan horse combines several malicious mobile phone programs that work on the infected
phone to spread over Symbian-based phones.

 FlexiSpy:
This malware was discovered in March 2006.
It is a spyware that is typically installed by someone other than the phone owner. It sends a log of
phone calls and copies of texts and MMS messages to a commercial Internet server for viewing
by a third party.

MOBILE DEVICE VULNERABILITIES

1. Trojan horse
By deploying malicious mobile applications the attacker could gain control over the device. Such
applications usually perform some useful functionality while running malicious activities in the
background. This way the Trojan can be used to gather private information or to install other
malicious applications like worms or botnets. In addition, Trojans can be used to commit phishing
activities. For example, a false banking application could collect sensitive data from the user. Such
applications can easily spread through unsupervised application stores or through social networks.

2. Botnet
Botnet is a set of compromised devices which can be controlled and coordinated remotely. This attack
strategy is used to utilize the computing power of compromised devices in order to commit various
activities ranging from sending spam mail to committing DOS attacks. An example of a botnet
designed specifically for mobile devices is Waledac. Waledac uses SMS and MMS messages to
exchange the data between nodes therefore enabling the botnet to remain active even if the nodes are
not connected to the Internet.

3. Worm
Worm is a self-replicating malicious application designed to spread autonomously to uninfected
systems. This type of malware has been ported to mobile platforms since the introduction of Cabir.
Cabir is a worm designed to attack Symbian S60 devices by spreading through Bluetooth links. A
more recent example of a worm type malware for mobile devices is Ikee.B which is used to steal
financially sensitive data from jailbroken iPhones.

4. Rootkit
11
 Rootkit is a malicious application which gained rights to run in a privileged mode. Such malicious
applications usually mask their presence from the user by modifying standard operating system
functionalities. Although no current rootkit type threats for mobile devices exist, recent research
efforts indicate the potential of this attack strategy and classify it as an emerging threat to mobile
security.

MOBILE DEVICE THREATS

1) Data Leakage
Mobile apps are often the cause of unintentional data leakage. As noted by eSecurity Planet, for example,
“riskware” apps pose a real problem for mobile users, who give them sweeping permissions, but don’t
always check security. These are typically free apps found in official app stores that perform as
advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined
by advertisers or even cybercriminals.

Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses
distribution code native to popular mobile operating systems like iOS and Android to spread valuable data
across corporate networks without raising red flags. To avoiding this problem. only give apps permissions
they absolutely insist on, and forgo any program that asks for more than necessary.

2) Unsecured Wi-Fi
No one wants to burn through their cellular data when wireless hot spots are available—but free Wi-Fi
networks are usually unsecured. According to V3, in fact, three British politicians who agreed to be part
of a free wireless security experiment were easily hacked by technology experts and had their social
media, PayPal and even VoIP conversations compromised. To be safe, only use free Wi-Fi sparingly on
your mobile device, and never using it to access confidential or personal services, like banking or credit
card information.

3) Network Spoofing
Network spoofing is when hackers set up fake access points (connections that look like Wi-Fi networks
but are actually traps) in high-traffic public locations such as coffee shops, libraries and airports. Next,
cybercriminals give the access points common names, like “Free Airport Wi-Fi” or “Coffeehouse,” which
encourage users to connect. In some cases, attackers require users to create an “account” to access these
free services, complete with a password. Not surprisingly, many users employ the same email and
password combination for multiple services, allowing the hackers to compromise their email, e-
commerce, and other secure information. In addition to using caution when connecting to any free Wi-Fi,
never provide personal information, and if you are asked to create a login, always create a unique
password, just in case.

4) Phishing Attacks
Since mobile devices are always powered-on they represent the front lines of any phishing attack.
According to CSO, mobile users are more vulnerable, since they are often the first to receive legitimate-
seeming emails and take the bait. Desktop users who only check their email once a day or every other day
are often warned off by news sites or security bulletins before clicking through. Email monitoring is
crucial. Never click on unfamiliar email links. On a smaller mobile screen, they can be even harder to
verify. Always enter URLs manually to be as safe as possible.

5) Spyware
According to eWeek, while many mobile users worry about malware sending data streams back to foreign
powers or international cybercriminals, there’s a key threat closer to home: Spyware. In many cases, it’s
12
not malware that users should be worried about, but rather spyware installed by spouses, coworkers or
employers to keep track of their whereabouts and use patterns. Download a solid (and legitimate)
antivirus and malware detection suite to help detect and eliminate these programs before they have a
chance to collect your data.

6) Broken Cryptography
According to Infosec Institute training materials, broken cryptography can happen when app developers
use weak encryption algorithms, or strong encryption without proper implementation. In the first case,
developers use encryption algorithms that already have known vulnerabilities to speed up the process of
app development, and the result is that any motivated attacker can crack passwords and gain access. In the
second example, developers use highly secure algorithms, but leave other “back doors” open that limit
their effectiveness. For example, it may not be possible for hackers to crack the passwords, but if
developers leave flaws in the code that allow attackers to modify high-level app functions (such as
sending or receiving text messages), they may not need passwords to cause problems. Here, the onus is on
developers and organizations to enforce encryption standards before apps are deployed.

7) Improper Session Handling

To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow
users to perform multiple actions without being forced to re-authenticate their identity. Similar to
passwords, they’re generated by apps as a way to identify devices. Secure apps generate new tokens with
each access attempt, or “session,” and should remain confidential. According to The Open Web
Application Security Project, improper session handling occurs when apps unintentionally share session
tokens with malicious actors, allowing them to impersonate legitimate users.

MOBILE DEVICE ATTACKS

There are various classifications in terms of attacks. One of them is the classification made by Becher
which groups the attacks towards mobile devices in four main categories:
i. Hardware-based
ii. Device-independent
iii. Software-based
iv. User-based attacks

 Hardware-based attacks:
With a broad perspective, hardware-based attacks constitute an element of mobile security. Even
if the Mobile Device has any vulnerability, it cannot easily reach to the user information,
however, there is an access to the device.

 Device-independent attacks:
These are the attacks independent from the device which directly target the mobile device user.
They intend to violate the privacy of the user's personal data through wireless connection or
wiretapping.

 Software-based attacks:
An important part of the technical vulnerabilities on mobile devices are the software-based
attacks. Especially the increase in the number of mobile web browser has led to an increase in the
vulnerabilities used in this field.

 User-based attacks:

13
 Such attacks are not technical attacks. These constitute the attacks made through cheating without
using malicious software which are direct to the mobile device users.

MOBILE APPLICATION VULNERABILITIES

Mobile devices are the subject of many security discussions, but it's often mobile applications that serve
as attack vectors.

Bad data storage practices, malware, sideloading and lack of encryption all contribute to mobile
application vulnerabilities.

MOBILE APPLICATION THREATS SCENARIOS

1. Mobile pick-pocketing:
Malware and apps indulge in petty financial fraud such as the generation of premium SMSs and
premium phone-calls without user intervention or approval.

2. Stealing of personal information:

Theft of information like contacts, SMSs and media files is widespread, especially on open
platforms. A huge market exists for such databases.

3. Spyware:
Smartphones have features like cameras, microphones and GPS tracking. Several apps allow
these features to be activated remotely without the user’s knowledge.

4. Identity theft:
This involves spoofing a phone’s parameters and details. With phones being used as a factor for
authentication, this can have serious repercussions. India has already seen such cases.

5. Mobile botnets / relays:

Smartphones with powerful 2G/3G/4G connections can be used as nodes and relays in a botnet.
These can be used to generate spam or launch distributed denial of service (DDoS) attacks.

MOBILE APPLICATION ATTACK VECTOR

The following attack vectors are pertinent from a mobile application security perspective.

1. Jailbroken/rooted devices:
Bypassing OS control gives unrestricted access to all aspects and features on the device. This is a
double-edged sword. Users should be aware that the process of Jailbreaking, along with websites
that offer this service provide easy conduits to plant malware on phones with sensitive data.

2. App repackaging:
This is a significant problem in the Android space. Rogue developers repackage legitimate apps
with malware. When unsuspecting consumers install and activate these apps, the embedded

14
 malware can initiate activities to send out premium SMSes, uninstall antivirus solutions and
access sensitive content.

Users may still get the functionality of the original app and be unaware of the background
malicious activity. Use legitimate, platform-supported application stores, check publisher details
and review user feedback on the app’s current version before downloading.

3. Drive-by downloads:
This is a recent development in the mobile space, where accessing infected sites results in
malicious apps being installed without user knowledge. Often, these sites are safe for regular
browsers, but automatic download and installation of an application can be triggered while using
smartphone browsers. Android provides controls to prevent automated downloads.

4. Apps from untrusted sources:

It doesn’t get worse than downloading and installing and untrusted/unsigned repackaged app
from non-regulated app marketplaces. It is incumbent upon enterprises to discourage this
practice. Approved application stores are the best source of legitimate apps. Users take grave
risks in installing apps whose provenance is unknown, via SD cards, third-party application stores
or even as email attachments. The threats posed by these applications, ranging from minor
inconvenience to major financial fraud.

5. Operating system/device vulnerabilities:

OS/device firmware vulnerabilities are often exploited by rogue developers while compromising
devices. To avoid such threats, use updated antivirus packages and ensure that devices are
updated with all relevant OS and firmware updates.

6. App vulnerabilities:
Secure application development for mobile platforms is still immature. Insecure coding can lead
to apps acting as a conduit through which malware and attackers gain control of your device. The
best protection is to install a good security solution. Reputed developers ensure that their apps
undergo multiple levels of testing before release to minimize chances of compromise. Review
publicly-available ratings and feedback on apps before installation.

15