If smartphones have become such an indispensable tool for individuals and professionals, it is particularly due to the mobile applications that support our daily activities.
However, an innocent action such as downloading and using an application on a smartphone doesn’t come without risks. While the vast majority of applications pose no threat to an organization or its employees, others can go a long way in compromising strategic and sensitive information.
Downloading mobile apps: What are the risks?
According to a NowSecure study of more than 400,000 applications available in Google Play Store, 11% leak sensitive information and 25% pose at least a significant security risk. Not to mention that half of Android and iOS applications, including the most popular ones, send data to one or more ad networks, including phone numbers, IMEI numbers, call history and location.
In some cases, an apparently legitimate application contains hidden and malicious features that can even take control of your phone, and access sensitive information such as passwords, photos and banking details.
For professionals, the risks are real. An application can access data that you think is protected and secure, without you even noticing it. Business contacts, instant messages, emails and confidential documents… nothing is safe if you do not apply strict security rules.
Top threats from mobile apps
The consequences of downloading a malicious application can be serious. In-depth review:
- Data theft: As soon as it is launched, the application can access data stored on the phone and send it to a third party server. This information can then be sold, shared online or used to extort money from the victim.
- Premium subscriptions without consent: The application registers users to a premium service without their consent. Users are charged without always benefitting from said services. By the time they realize the problem, it is already too late.
- Advertising click fraud: The application uses a program to abuse banner ads, a technique that consumes hardware and software resources, and costs money to publishers and advertisers alike.
- Launch of an infected app: Under the guise of a legitimate application, a malware steals information, slows down or even take control of the phone. It can also use phone resources to mine cryptocurrencies or share an Internet connection.
- Spying: The application monitors activities on the phone, intercepts communications and geolocates the user in real time.
- Rooting: Hackers manage to take full control of the phone remotely. They can send emails and messages impersonating the user, activate both camera and microphone, access files stored locally and in the cloud, etc.
Examples of hacking and mobile data theft
Thousands of such cases are reported every year, but the most worrying are those that are yet to be discovered. In the meantime, the following are real cases:
Fake WhatsApp app
Hackers have created an application called “Update WhatsApp Messenger” using WhatsApp Inc. as the developer’s name. Available on Google Play Store and downloaded more than a million times by Android users, this application was able to install other advertising programs.
Vulnerable military applications
In the United States, Android applications used by army combat troops contained significant vulnerabilities. Hackers had access to information exchanged between soldiers. These mobile applications included instant messaging features to coordinate with other services, posted mission objectives and goals, showed satellite images of the surrounding areas, and highlighted locations of enemy and friendly forces. Luckily, these apps were only used during training. But this security issue is reminiscent of another: the geolocation of US military bases abroad when soldiers used an application during their daily jogging exercises. It was then possible to know who was running, where, and when.
A virus stealing money on PayPal accounts
Antivirus or smartphone optimization? This is the kind of application hiding real digital dangers. This virus runs on Android and can steal €1,000 from a PayPal account, even when it is secured using two-factor authentication. The Trojan is hidden in applications hosted on a third-party marketplace.
Anubis, a very difficult to spot malware
Hidden behind payment, finance, cashback and shopping apps, Anubis opens a communication channel with a remote server to steal passwords and clear bank accounts.
Fortnite clones: a dangerous popularity
Professional smartphones are sometimes used outside business hours by the children of employees. They download games that can be malicious. This is the case with the famous Fortnite game. While the game is not downloadable online, fraudulent clones are available on Google Play Store to attract the least cautious users. In the end, the application contains a virus, malware or spyware, and can have serious consequences, even after it has been removed from the phone.
How to limit risks?
Step one: Train and educate your staff
It may not be enough, but it is a first essential step. The first thing to do is to set up mandatory awareness training for all smartphone users. The rules are simple:
- No application should be downloaded outside official marketplaces
- Favor professional applications developed by recognized publishers
- Limit downloads of non-professional applications (games, weather, etc.)
Step two: Implement security rules
The purpose of security rules is to control software on professional smartphones and tablets. Two levels of security rules can be applied
- OS updates and security patches.
- Enforcement of certain security parameters, e.g. prohibiting applications from unofficial marketplaces.
This first security approach is implemented using MDM (Mobile Device Management) solutions and other mobile security solutions.
Step Three: Protect device data
This step focuses on data security (files, location information, audio/video capture…) accessible to applications installed on a smartphone.
- Encrypt local data on the device using a solution capable of resisting hacking attempts (brute force or exploiting OS vulnerabilities).
- Establish white lists of applications or an enterprise App Store, and granular management of application permissions.
- Compartmentalize data (containerization) to ensure that operations carried out in the personal space do not affect enterprise data stored in the professional space, and vice-versa.
Certain MAM (Mobile Application Management) solutions offer these features, purely as a software approach. Only a secure smartphone solution provides deep protection by combining secure application layers and operating system defenses, as well as using a secure hardware component.
Defense, research, finance, banking, consulting… There are numerous industries where information security is paramount. New technologies and new uses combining immediacy and mobility are finding their way everywhere. Without securing mobile apps and smartphones, it can be difficult to develop a real defense plan. As you secure your home, office, and website, shouldn’t you do the same for your smartphone?