Modern mobile devices are very complex, and this gives attackers the ability to conduct attacks. Literally anything can be used to hack your smartphone – from Wi-Fi and Bluetooth to speaker and microphone.
How attack mobile devices and applications
There are five main attack scenarios. Among them:
- Physical access. If the phone was stolen or lost, the owner gave it to the service or connected to a fake charger via USB – all this opens up the possibility of an attack.
- Malicious app on device. Sometimes such applications can get to the device even from official sources, Google Play and the App Store (for Androidfor iOS)
- Attacker in the communication channel. By connecting to an untrusted Wi-Fi, proxy server or VPN, we become vulnerable to attacks in the communication channel.
- Remote attacks. An attacker can act remotely, using mobile application servers or other services to deliver the exploit.
- Attacks on the server side. Separately, you can consider attacks on the server side of mobile applications, since in this case an attacker does not need access to the device.
Let’s talk more about each of the options and discuss possible ways to protect against such attacks.
Physical Access Attacks
There are several main attack scenarios with physical access. As a rule, they mean a person’s access directly to the smartphone: this happens if the device was stolen, the owner lost it or took it to the service. However, there is a rather unusual attack method for which a malicious charging station is used. Let’s consider it.
The charging station to which you connect your smartphone via USB may not be completely safe. For modern versions of Android and iOS, when connecting from a smartphone to a PC via USB, permission to access the device is required. However, on Android 4.0 and below, this was not required. As a result, when such devices are connected to charging stations compromised or installed by hackers, an opportunity for attack opens up. Her script might look like this:
- USB debugging is available on your smartphone with Android 4.0 or lower.
- You connect to the charging station via a USB cable.
- A malicious charging station executes the adb install malware.apk command to install malware on your device.
- The malicious charging station executes the adb am start com.malware.app/.MainActivity command to launch this malicious application.
- The launched trojan tries various privilege escalation techniques, obtains root privileges and is fixed in the system. Now he has access to all stored data, including authentication (logins, passwords, tokens) from all installed applications, as well as unlimited access to any application at runtime.
How to protect yourself
First of all, be careful not to leave your phone and tablet unattended in public places. Be sure to set a password to unlock the device or enable biometric protection, if possible. Do not increase privileges to administrative (jailbreak or root), disable the display of notifications on a locked screen.
There are several sources of such applications:
- The official app stores are Google Play and the App Store. Rarely, but even in official markets you can find a malicious application that can harm you and your data. Often such applications try to get more installations using clickbait names like Super Battery, Turbo Browser, or Virus Cleaner 2019.
- Unofficial sites and application stores (third-party appstore). For Android devices, it’s enough to allow installation from untrusted sources, and then download the apk file of the application from the site. For iOS devices, just follow the link in the Safari browser, confirm the installation of the certificate on the device, after which any application in this unofficial store will be available for installation directly from the browser.
- The user can install the application downloaded from the Internet using a USB connection.
- For Android devices, it is possible to download part of the application when clicking on the link – the Google Play Instant mechanism.
When installed on a smartphone, depending on the permissions received, malicious applications will have access to some stored data, a microphone, a camera, geolocation, contacts, etc. They will also be able to interact with other installed applications through interprocess communication mechanisms (IPC / XPC). If installed applications contain vulnerabilities that can be exploited through such interaction, a malicious application could take advantage of this. This is especially true for Android devices.
In addition, a malicious application may try to gain elevated privileges on the system by exploiting vulnerabilities that allow it to gain root rights or jailbreak.
How to protect yourself
To protect against such attacks, it is recommended that you first avoid installing applications from untrusted sources. With caution, you must install applications with suspicious names even from official application stores, since no checks work perfectly. Update your OS and applications in a timely manner to eliminate the possibility of attacks through known vulnerabilities.
In order for an attacker to be able to act from a communication channel, he needs to perform a man-in-the-middle attack, that is, all traffic transmitted between the client mobile application and the server part must pass through the device of the attacker. Sometimes in applications there are vulnerabilities that allow such attacks.
For example, usually when a secure connection is established, the client application verifies the authenticity of the server certificate and the compliance of its parameters with the server parameters. However, sometimes developers for convenience when working on the application disable such checks, forgetting to include them back in the release version. As a result, the application accepts any server certificate to establish a secure connection, including an attacker certificate.
Even if the certificate verification is correct, the attacker still has a loophole: under some pretext, force the victim to install the attacker certificate on his device as trusted. In addition, if the application itself safely works with the server, but contains links to third-party resources downloaded via HTTP, this still makes it possible to conduct phishing attacks.
If an attacker manages to gain control over the traffic between the client application and the server, this will give him a number of possibilities:
- substitute server responses, for example, to substitute banking details or phishing;
- Substitute client application requests, for example, changing the transfer amount and the recipient’s account;
- intercept data, such as logins, passwords, one-time passwords, bank card data, transaction history.
As a result, he will learn the usernames and passwords of the victim from various accounts and will be able to use them to steal data, steal money.
How to protect yourself
Do not connect to questionable access points, do not use proxy and VPN servers that you do not trust your personal and banking information. Do not install third-party certificates on the device.
As a rule, most popular instant messengers and social network applications are well protected from such attacks; if, for example, suddenly one of these applications refuses to work through the current Wi-Fi connection, this may mean that this access point is unsafe and it is better to disconnect from it so as not to endanger other applications, including your mobile bank.
Some vulnerabilities in mobile applications can be exploited remotely, and you do not even need to control the transfer of data between the application and the server. Many applications implement functionality for processing special links, for example myapp: //. These links are called deeplinks, and they work on both Android and iOS. Clicking on such a link in a browser, mail application or messenger can trigger the opening of an application that can handle such links. The entire link, including parameters, will be passed to the handler application. If the link handler contains vulnerabilities, then for their exploitation it will be enough to force the victim to follow a malicious link.
Similarly, the more familiar http: // and https: // links can be processed on mobile devices – they can be transferred to the application instead of the browser, in some cases this can happen without user confirmation.
For Android devices, clicking on the link can provoke the Instant App loading, which makes it possible to remotely exploit vulnerabilities associated with the installation of a malicious application.
How to protect yourself
Timely installation of application and OS updates in this case is the only way to protect yourself. If you do not have the opportunity to install the update or it has not yet been released, you can temporarily stop using the vulnerable application: remove it from the device or simply log out.
Attacks on the server side
To attack a mobile application server, an attacker, as a rule, needs to study how the client application interacts with the server and, based on the collected information about the entry points, try to modify the requests in order to detect and exploit vulnerabilities.
If we compare the vulnerabilities of web applications and the server parts of mobile applications, we see that the following vulnerabilities prevail in mobile applications:
- insufficient protection against credentials: 24% of web applications and 58% of mobile application servers contain such vulnerabilities,
- business logic errors: 2% of web applications and 33% of mobile application servers.
Our research shows that often application users can access other users’ data: card numbers, first and last names, phone numbers, etc. Moreover, access can be erroneously granted both on behalf of another user and without authentication at all, due to the presence of weaknesses in authentication and authorization.
How to protect yourself
In this case, the average user can do little. However, you can reduce the risks of suffering from attacks on the server by using a complex password, as well as setting up two-factor authentication with one-time passwords in all critical applications that can do this.
To minimize the likelihood of a successful attack on a mobile application, its developers should check the possibility of implementing each of the described scenarios. When developing, it is necessary to take into account various models of intruders, and some protective measures must be taken at the design stage.
A good recommendation for developers would be to implement a secure development lifecycle (SDL) practice and regularly review application security. Such measures will not only help to identify potential threats in a timely manner, but also increase the level of developers’ knowledge on security issues, which will increase the level of security of developed applications in the long term.
Author: Nikolay Anisenya, Head of Mobile Technologies Security Research Team Positive Technologies