ITKarma picture

Image: Unsplash

Modern mobile devices are very complex, and this gives attackers the ability to conduct attacks. Literally everything can be used to hack your smartphone - from Wi-Fi and Bluetooth to speaker and microphone .

Positive Technologies analysts have published a study of common attack scenarios on mobile devices and applications. In
our article is the main points of this document.

How are mobile devices and applications attacked



There are five main attack scenarios. Among them:

  • Physical Access . If the phone was stolen or lost, the owner gave it to the service or connected to a fake charger via USB - all this opens up the possibility of an attack.
  • Malicious app on device . Sometimes such applications can even be accessed from official sources, the Google Play and App Store (for Android , for iOS ).
  • Attacker in the communication channel . By connecting to an untrusted Wi-Fi, proxy server or VPN, we become vulnerable to attacks in the communication channel.
  • Remote Attacks . An attacker can act remotely, using mobile application servers or other services to deliver the exploit.
  • Attacks on the server side . Separately, you can consider attacks on the server side of mobile applications, since in this case an attacker does not need access to the device.

Let's talk more about each of the options and discuss possible ways to protect against such attacks.

Physical access attacks


There are several main attack scenarios with physical access. As a rule, they mean a person’s access directly to the smartphone: this happens if the device was stolen, the owner lost it or took it to the service. However, there is a rather unusual attack method for which a malicious charging station is used. Let's consider it.

The charging station to which you connect your smartphone via USB may not be completely safe. For modern versions of Android and iOS, when connecting from a smartphone to a PC via USB, permission to access the device is required. However, on Android 4.0 and below, this was not required. As a result, when such devices are connected to charging stations compromised or installed by hackers, an opportunity for attack opens up. Her script might look like this:

  • USB debugging is available on your Android 4.0 or lower smartphone.
  • You are connecting to the charging station via a USB cable.
  • A malicious charging station executes the adb install malware.apk command to install malware on your device.
  • A malicious charging station executes the adb am start com.malware.app/.MainActivity command to launch this malicious application.
  • The launched trojan tries various privilege escalation techniques, obtains root privileges and fixes itself in the system. Now he has access to all stored data, including authentication (logins, passwords, tokens) from all installed applications, as well as unlimited access to any application at runtime.

How to defend yourself


First of all, be careful not to leave your phone and tablet unattended in public places. Be sure to set a password to unlock the device or enable biometric protection, if possible. Do not increase privileges to administrative (jailbreak or root), turn off the display of notifications on the locked screen.

Malicious application attacks


There are several sources for such applications:

  • Official App Stores - Google Play and App Store. Rarely, but even in official markets you can find a malicious application that can harm you and your data.Often such applications try to get more installations using clickbait names like “Super Battery”, “Turbo Browser”, or “Virus Cleaner 2019.”
  • Unofficial sites and application stores (third-party appstore). For Android devices, it’s enough to allow installation from untrusted sources, and then download the apk file of the application from the site. For iOS devices, just follow the link in the Safari browser, confirm the installation of the certificate on the device, after which any application in this unofficial store will be available for installation directly from the browser.
  • A user can install an application downloaded from the Internet using a USB connection.
  • For Android devices, it’s possible to download part of the application when clicking on the link - the Google Play Instant mechanism.

When installed on a smartphone, depending on the permissions obtained, malicious applications will have access to some stored data, a microphone, a camera, geolocation, contacts, etc. They will also be able to interact with other installed applications through interprocess communication mechanisms (IPC/XPC). If installed applications contain vulnerabilities that can be exploited through such interaction, a malicious application could take advantage of this. This is especially true for Android devices.

In addition, a malicious application may try to gain elevated privileges on the system by exploiting vulnerabilities that allow it to gain root privileges or jailbreak.

How to defend yourself


To protect against such attacks, it is recommended that you first avoid installing applications from untrusted sources. With caution, you must install applications with suspicious names even from official application stores, since no checks work perfectly. Update your OS and applications in a timely manner to prevent attacks through known vulnerabilities.

Attacks in the communication channel


In order for an attacker to be able to act from a communication channel, he needs to perform a man-in-the-middle attack, that is, all traffic transferred between the client mobile application and the server part must pass through the device of the attacker. Vulnerabilities are sometimes found in applications that allow such attacks.

For example, usually when a secure connection is established, the client application verifies the authenticity of the server certificate and the compliance of its parameters with the server parameters. However, sometimes developers for convenience when working on the application disable such checks, forgetting to include them back in the release version. As a result, the application accepts any server certificate to establish a secure connection, including an attacker certificate.

Even if the certificate verification is correct, the attacker still has a loophole: under some pretext, force the victim to install the attacker certificate on his device as trusted. In addition, if the application itself safely works with the server, but contains links to third-party resources downloaded via HTTP, this still makes it possible to conduct phishing attacks.

If an attacker manages to gain control over the traffic between the client application and the server, this will give him a number of possibilities:

  • substitute server responses, for example, to substitute banking details or phishing;
  • substitute client application requests, for example, changing the transfer amount and the recipient's account;
  • intercept data, such as logins, passwords, one-time passwords, bank card data, transaction history.

As a result, he will learn the usernames and passwords of the victim from various accounts and will be able to use them to steal data, steal money.

How to defend yourself


Do not connect to questionable access points, do not use proxy and VPN servers that you do not trust your personal and banking information. Do not install third-party certificates on the device.

As a rule, most popular instant messengers and social network applications are well protected from such attacks; if, for example, suddenly one of these applications refuses to work through the current Wi-Fi connection, this may mean that this access point is unsafe and it is better to disconnect from it so as not to endanger other applications, including your mobile bank.

Remote Attacks


Some vulnerabilities in mobile applications can be exploited remotely, and you do not even need to control the transfer of data between the application and the server. Many applications implement functionality for handling special links, for example myapp://. These links are called deeplinks, and they work on both Android and iOS. Clicking on such a link in a browser, mail application or messenger can trigger the opening of an application that can handle such links. The entire link, including parameters, will be passed to the handler application. If the link handler contains vulnerabilities, then for their exploitation it will be enough to force the victim to follow a malicious link.

Similarly, the more familiar http://and https://links can be processed on mobile devices - they can be passed to the application instead of the browser, in some cases this can happen without user confirmation.

For Android devices, clicking on the link may provoke the Instant App loading, which makes it possible to remotely exploit vulnerabilities associated with installing a malicious application.

How to defend yourself


Timely installation of application and OS updates in this case is the only way to protect yourself. If you are unable to install the update or it has not yet been released, you can temporarily stop using the vulnerable application: remove it from the device or simply log out.

Attacks on the server side


To attack a mobile application server, an attacker usually needs to study how the client application interacts with the server and, based on the collected information about the entry points, try to modify requests in order to detect and exploit vulnerabilities.

Often, the server device of a mobile application is no different from a web application. As a rule, mobile application servers are arranged even easier and often are json- or xml-api, rarely work with HTML markup and JavaScript, as websites often do.

If we compare the vulnerabilities of web applications and the server parts of mobile applications, we see that the following vulnerabilities prevail in mobile applications:

  • insufficient protection against credentials: 24% of web applications and 58% of mobile application servers contain such vulnerabilities
  • business logic errors: 2% of web applications and 33% of mobile application servers.

Our research shows that often application users can access other users' data: card numbers, first and last names, phone numbers, etc. Moreover, access can be erroneously granted both on behalf of another user and without authentication at all, due to the presence of weaknesses in authentication and authorization.

How to defend yourself


In this case, the average user can do little. However, you can reduce the risk of attacks from server attacks by using a complex password, as well as setting up two-factor authentication with one-time passwords in all mission-critical applications that allow this.

To minimize the likelihood of a successful attack on a mobile application, its developers should check the possibility of implementing each of the described scenarios. When developing, it is necessary to take into account various models of intruders, and some protective measures must be taken at the design stage.

A good recommendation for developers would be to implement a secure development lifecycle (SDL) practice and regularly review application security. Such measures will not only help to identify potential threats in a timely manner, but also increase the level of security knowledge of developers, which will increase the level of security of developed applications in the long term.

Author : Nikolai Anisenya, Head of Positive Technologies Mobile Application Security Research Group.

Source