Android Security
Android Security
For example, consider trying to open a music application, but Call logs get
opened instead. So yes this type of bugs generally create inconvenience to the
users. But, once they get severe they can also leave a deep impact on the
reputation.
2. Another type is the one that actually affects the security of the software.
Along with the software, it also affects the devices on which the software is
installed on.
For example, you can consider the application asking you to enter the
username and password but, as soon as you enter the username, it logs in. This
might sound interesting but it may lead to leaked information and severe
situations later.
So these were the two types, to be more exact, the first category of the bugs
might turn into the second if they are manipulated in such a way. And that is the
reason that security patches are actually important for us and our devices.
Security patches are distributed to all the Android devices in a timely manner.
Thus, there are various different levels of Security patches. You must always
keep your device’s security patch level up to date to ensure it is safe.
SECURITY STANDARDS
Security policies:
All mobile apps should present the privacy policies, data sharing policies, legal
policies through end-user license agreements.
All major events such as failed login attempts, apps crashes, and system events should
be logged.
For secured applications and secure functionality, the system should use multi-factor
authentication or mobile device management (MDM) capability.
initiated.
Two factor authentication: The authentication is performed twice, once
with the user credentials and second using the OTP (One time password).
On-Device Data Security - Encrypt data that resides on the device for
native and hybrid apps.
All mobile apps should use filters, validations and other secure mechanisms to
address following vulnerabilities:
Invalidated input
Buffer overflows
level privilege)
Loss of mobile device. This is a common issue that can put at risk not
only you but even your contacts by possible phishing.
Bad use of your mobile resources − Which means that your network or
mobile device can go in overload so you are unable to access your
genuine services. In worse scenarios, to be used by the hacker to attach
another machine or network.
Infecting the device with mobile spyware is performed differently for Android
and iOS devices.
Android − Users are tricked to download an app from the market or from a
third-party application generally by using social engineering attack. Remote
infection can also be performed through a Man-in-the-Middle (MitM) attack,
where an active adversary intercepts the user’s mobile communications to
inject the malware.
iOS − iOS infection requires physical access to the mobile. Infecting the device
can also be through exploiting a zero-day such as the JailbreakME exploit.
Installing a backdoor
Spyware sends mobile content such as encrypted emails and messages to the
attacker servers in plain text. The spyware does not directly attack the secure
container. It grabs the data at the point where the user pulls up data from the
secure container in order to read it. At that stage, when the content is decrypted
for the user’s usage, the spyware takes controls of the content and sends it on.
In most cases most of us think what can we possibly lose in case our mobile is
hacked. The answer is simple - we will lose our privacy. Our device will
become a surveillance system for the hacker to observer us. Other activities of
profit for the hacker is to take our sensitive data, make payments, carry out
illegal activities like DDoS attacks. Following is a schematic representation.
OWASP Mobile Top 10 Risks
When talking about mobile security, we base the vulnerability types on
OWASP which is a not-for-profit charitable organization in the United States,
established on April 21. OWASP is an international organization and the
OWASP Foundation supports OWASP efforts around the world.
This category covers the misuse of a platform feature or the failure to use
platform security controls. It might include Android intents, platform
permissions, misuse of TouchID, the Keychain, or some other security control
that is part of the mobile operating system. There are several ways that mobile
apps can experience this risk.
M2-Insecure Data
This new category is a combination of M2 and M4 from Mobile Top Ten 2014.
This covers insecure data storage and unintended data leakage.
M3-Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, clear
text communication of sensitive assets, etc.
M4-Insecure Authentication
This category captures the notions of authenticating the end user or bad session
management. This includes −
M5-Insuficient Cryptography
If the app does not authenticate the users at all in a situation where it should
(e.g., granting anonymous access to some resource or service when
authenticated and authorized access is required), then that is an authentication
failure not an authorization failure.
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used
categories. This would be the catch-all for code-level implementation problems
in the mobile client. That's distinct from the server-side coding mistakes. This
would capture things like buffer overflows, format string vulnerabilities, and
various other code-level mistakes where the solution is to rewrite some code
that's running on the mobile device.
M8-Code Tampering
Once the application is delivered to the mobile device, the code and data
resources are resident there. An attacker can either directly modify the code,
change the contents of memory dynamically, change or replace the system
APIs that the application uses, or modify the application's data and resources.
This can provide the attacker a direct method of subverting the intended use of
the software for personal or monetary gain.
M9-Reverse Engineering
This category includes analysis of the final core binary to determine its source
code, libraries, algorithms, and other assets. Software such as IDA Pro,
Hopper, otool, and other binary inspection tools give the attacker insight into
the inner workings of the application. This may be used to exploit other nascent
vulnerabilities in the application, as well as revealing information about back-
end servers, cryptographic constants and ciphers, and intellectual property.
M10-Extraneous Functionality
Using the information gathered, the attacker can exploit the device and launch
any other attack. Attackers can also socially engineer users to download and
run apps outside the official apps stores. Malicious apps can damage other
applications and data, sending your sensitive data to attackers.
Sandbox helps the mobile users by limiting the resources that an application
uses in the mobile device. However, many malicious applications can overpass
this allowing the malware to use all the device processing capabilities and user
data.
Secure Sandbox
Vulnerable Sandbox
SMS Phishing is successful because it plays with the fear and anxiety of the
users. Irrational SMS instills fear in the mind of the users. Most of the
scenarios have to do with the fear of losing money, like someone has purchased
something using your credit cards.
Other instances include, the fear when an SMS accuses you of doing something
illegal that you haven’t done. Or an SMS regarding the possibility of harming
your family members. of your family, etc.
SMS Phishing Attack Examples
Now let us see a few examples to understand the cases where SMS Phishing
mostly happens.
Example 1
Generally, scammers use email to SMS to spoof their real identity. If you
google it, you may find many legitimate resources. You just google search:
email to SMS providers.
Example 2
The other classical scam is financial fraud which will ask you for PIN, username,
password, credit card details, etc.
Example 3
Spelling and bad grammar. Cyber criminals generally make grammar and spelling
mistakes because often they use a dictionary to translate in a specific language. If
you notice mistakes in an SMS, it might be a scam.
Example 4
SMS phishing attempt to create a false sense of urgency.
Example 5
Cybercriminals often use threats that your security has been compromised. The
above example proves it well. In the following case, the subject says you have won
a gift.
Example 6
In this case, an SMS asks you to reply so that they can verify that your number is
valid. This can increase the number of SMS spams in your number.
Example 7
Spoofing popular websites or companies. Scam artists use the name of big
organizations that appear to be connected to legitimate websites but actually it
takes you to phony scam sites or legitimate-looking pop-up windows.
Prevention and Solutions
In order to protect ourselves from SMS phishing some rules have to be kept in
mind.
Financial companies never ask for personal or financial information, like
username, password, PIN, or credit or debit card numbers via text message.
Smishing scams attempt to create a false sense of urgency by requesting an
immediate response. Keep calm and analyze the SMS.
Don’t open links in unsolicited text messages.
Don’t call a telephone number listed in an unsolicited text message. You
should contact any bank, government, agency, or company identified in the
text message using the information listed in your records or in official
webpages.
Don’t respond to smishing messages, even to ask the sender to stop
contacting you.
Use caution when providing your mobile number or other information in
response to pop-up advertisements and “free trial” offers.
Verify the identity of the sender and take the time to ask yourself why the
sender is asking for your information.
Be cautious of text messages from unknown senders, as well as unusual text
messages from senders you do know, and keep your security software and
applications up to date.
Pairing Mobile Devices on Open Bluetooth and Wi-Fi
Connections
Bluetooth is a similar radio-wave technology, but it is mainly designed to
communicate over short distances, less than about 10m or 30ft. Typically, you might
use it to download photos from a digital camera to a PC, to hook up a wireless
mouse to a laptop, to link a hands-free headset to your cellphone so you can talk
and drive safely at the same time, and so on.
To obtain this connection, devices exchange each other’s PIN, but in general as a
technology it is not secure. It is a good practice to repair the devices after a period
of time.
Make calls
Press keys
Read contacts
Read SMS
Delete applications
Keep paired devices close together and monitor what's happening on the devices.
Improved performance
Wi-Fi and Bluetooth tethering
Rooting also comes with many security and other risks to your device such as −
Poor performance
Before performing a vulnerability analysis, make sure that the whole team is
ready and prepared with a list of the most important security threats, the
solution to handle the threat and in case of a published working app, the list of
the experience (bugs or issues found in previous releases).
On a broad level, perform an analysis of the network, phone or OS resources
that would be used by the app along with the importance of the resources. Also,
analyze what are the most important or high-level threats and how to protect
against the same.
If an authentication for accessing the app is done, then is the authentication code
written in the logs and is it reusable? Is sensitive information written in phone
log files?
There is no specific way to deal with hacks because hacking an app varies from
app to app and most importantly the nature of the app. Hence to avoid
hacking try getting into the shoes of a hacker to see what you can’t see as a
developer or a QA.
Hence people run software which is available in the market to attain full admin
access to the phone.
Following are the highly prone permissions that are used for hacking by
attackers:
Network-based Location: Apps like location or check in etc., need
permission to access the network location. Hackers use this permission
and access the location of the user to launch location-based attack or
malware.
View the Wi-Fi state: Almost all the apps are given permission to access
the Wi-Fi and malware or hackers use the phone bugs to access the Wi-Fi
credentials.
Retrieving Running Apps: Apps like battery saver, security apps etc.,
use the permission to access the currently running apps, and the hackers
use this running apps permission to kill the security apps or access the
information of the other running apps.
Full Internet Access: All apps need this permission to access the internet
which is used by hackers to communicate and insert their commands to
download the malware or malicious apps on the phone.
Automatically start on boot: Some apps need this permission from the
OS to be started as soon as the phone is started or restarted like security
apps, battery saving apps, emails apps etc. Malware uses this to
automatically run during every start or restart.
#7) Is Security Threat different for Android and iOS
While analyzing the security threat for an app, QAs have to think even about the
difference in Android and iOS in terms of the security features. The answer to
the question is that yes, the security threat is different for Android and iOS.
iOS is less susceptible to security threat when compared to Android. The only
reason behind this is the closed system of Apple, it has very strict rules for app
distribution on the iTunes store. Thus the risk of malware or malicious apps
reaching the iStore is reduced.