Image: Unsplash
Modern mobile devices are very complex and this gives attackers the opportunity to launch attacks. Everything from Wi-Fi and Bluetooth to speaker and microphone can be used to jailbreak your smartphone .
Positive Technologies analysts have published a study of common scenarios for attacks on mobile devices and applications. In
our article - the main points of this document.
How mobile devices and apps are attacked
There are five main attack scenarios. Among them:
- Physical access . If the phone was stolen or lost, the owner gave it to the service or connected it to a fake USB charger - all this opens up the possibility for an attack.
- Malicious application on the device . Sometimes such applications can get to the device even from official sources, Google Play and the App Store (for Android , for iOS ).
- Attacker in the communication channel . By connecting to an untrusted Wi-Fi, proxy server or VPN, we become vulnerable to attacks in the communication channel.
- Remote attacks . An attacker can act remotely, using mobile application servers or other services to deliver an exploit.
- Server side attacks . Apart from everything else, we can consider attacks on the server side of mobile applications, since in this case the attacker does not need access to the device.
Let's talk in more detail about each of the options and discuss possible ways to protect against such attacks.
There are several main scenarios for physical access attacks. As a rule, they imply a person's access to a smartphone directly: this happens if the device is stolen, the owner lost it or took it to the service. However, there is also a rather unusual method of attack, for which a malicious charging station is used. Let's consider it.
The charging station to which you connect your smartphone via USB may not be entirely safe. For modern versions of Android and iOS OS, when connecting from a smartphone to a PC via USB, permission to access the device is required. However, this was not required on Android 4.0 and below. As a result, when such devices are connected to charging stations compromised or installed by hackers, an opportunity for an attack opens up. Her script might look like this:
- Android 4.0 USB.
- USB-.
- adb install malware.apk, .
- adb am start com.malware.app/.MainActivity .
- , root . , (, , ) , .
First of all, be careful not to leave your phone and tablet unattended in public places. Be sure to set a password to unlock your device or turn on biometric security if possible. Do not elevate privileges to administrative (jailbreak or root), disable display of notifications on the locked screen.
Attacks with malicious applications
There are several sources of such applications:
- Official app stores - Google Play and App Store. Rarely, but even in official markets, you can find a malicious application that can harm you and your data. Often these apps try to get more installs with clickbait names like "Super Battery", "Turbo Browser" or "Virus Cleaner 2019".
- (third-party appstore). Android- , apk- . iOS- Safari, , .
- USB-.
- Android- — Google Play Instant.
When installed on a smartphone, depending on the permissions received, malicious applications will have access to some stored data, microphone, camera, geolocation, contacts, etc. They will also be able to interact with other installed applications through interprocess communication mechanisms (IPC / XPC). If the installed applications contain vulnerabilities that can be exploited through this interaction, the malicious application can take advantage of this. This is especially true for Android devices.
In addition, a malicious application can try to gain elevated privileges in the system by exploiting vulnerabilities that allow it to gain root privileges or jailbreak.
How to protect yourself
To protect against such attacks, it is recommended that you first avoid installing applications from untrusted sources. Applications with suspicious names should also be installed with caution, even from official app stores, as no checks work perfectly. Keep your OS and applications up to date to ensure that no known vulnerabilities are attacked.
Link attacks
For an attacker to be able to operate from the communication channel, he needs to perform a man-in-the-middle attack, that is, so that all traffic transmitted between the client's mobile application and the server side goes through the attacker's device. Vulnerabilities are sometimes encountered in applications that allow such attacks.
For example, usually when establishing a secure connection, the client application verifies the authenticity of the server certificate and whether its parameters match those of the server. However, sometimes developers, for convenience, when working on an application, disable such checks, forgetting to enable them back in the release version. As a result, the application accepts any server certificate to establish a secure connection, including the attacker's certificate.
Even if the certificates are verified correctly, the attacker still has a loophole: under some pretext to force the victim to install the attacker's certificate as a trusted certificate on his device. In addition, if the application itself works securely with the server, but contains links to third-party resources downloaded over HTTP, this still constitutes an opportunity for phishing attacks.
If an attacker manages to gain control over the traffic between the client application and the server, this will give him a number of possibilities:
- spoof server responses, for example, to spoof banking or phishing details;
- substitute client application requests, for example, changing the transfer amount and the recipient's account;
- intercept data, such as logins, passwords, one-time passwords, bank card data, transaction history.
As a result, he learns the victim's logins and passwords from various accounts and can use them to steal data and steal money.
How to protect yourself
Do not connect to questionable access points, do not use proxy and VPN servers that you do not trust your personal and banking information. Do not install third party certificates on the device.
As a rule, most of the popular instant messengers and social media applications are well protected from such attacks; if, for example, suddenly any of these applications refuses to work through the current Wi-Fi connection, this may mean that this access point is unsafe and it is better to disconnect from it so as not to endanger other applications, including your mobile bank.
Remote attacks
Some vulnerabilities in mobile applications can be exploited remotely without even requiring control over data transfer between the application and the server. Many applications provide functionality for handling special links, such as myapp: //. These links are called deeplinks and they work on both Android and iOS. Clicking on such a link in a browser, mail application or messenger can trigger the opening of the application that can process such links. The entire link, including parameters, will be passed to the handler application. If the link handler contains vulnerabilities, then for their exploitation it will be enough to force the victim to follow the malicious link.
Similarly, more familiar links http: // and https: // can be processed on mobile devices - they can be sent to the application instead of the browser, in some cases this can happen without confirmation from the user.
For Android devices, clicking on the link may trigger the download of the Instant App, which could allow remote exploitation of vulnerabilities associated with the installation of a malicious application.
How to protect yourself
Timely installation of application and OS updates in this case is the only way to protect yourself. If you are unable to install the update or it has not yet been released, you can temporarily stop using the affected application: uninstall it from your device or simply log out.
Server side attacks
To attack a mobile application server, an attacker, as a rule, only needs to study how the client application interacts with the server and, based on the collected information about entry points, try to modify requests in order to detect and exploit vulnerabilities.
Often, the device of the back end of a mobile application is no different from a web application. As a rule, the servers of mobile applications are even simpler and often represent json- or xml-api, they rarely work with HTML markup and JavaScript, as websites often do.
If we compare the vulnerabilities of web applications and the back-end of mobile applications, we see that the following vulnerabilities prevail in mobile applications:
- insufficient protection against brute-force credentials: 24% of web applications and 58% of mobile application servers contain such vulnerabilities,
- business logic errors: 2% of web applications and 33% of mobile application servers.
Our research shows that often application users can access data of other users: to card numbers, first and last names, phone numbers, etc. Moreover, access can be erroneously provided both on behalf of another user or without authentication at all, which is due to the presence of weaknesses in authentication and authorization.
How to protect yourself
In this case, there is little that the average user can do. However, you can mitigate the risks of server attacks by using a strong password and setting up two-factor authentication with one-time passwords in all mission-critical applications that do this.
To minimize the likelihood of a successful attack on a mobile application, its developers should check the feasibility of each of the described scenarios. When developing, it is necessary to take into account various models of intruders, and some protective measures must be taken at the design stage.
A good recommendation for developers is to implement a security development lifecycle (SDL) and regularly review the security of the application. Such measures will not only help to timely identify potential threats, but will also increase the level of security knowledge of developers, which will increase the level of security of the developed applications in the long term.
Posted by Nikolay Anisenya, Head of Mobile Application Security Research Group at Positive Technologies