Written by: Stephen Nelson
We can almost guarantee that anyone reading this article has either a mobile device or tablet with an application on it. However, many users don’t realize that every second those mobile phones are not in airplane mode, disconnected from a wireless network, or turned off, they are transmitting data to and from a server or a cloud provider. Permissions on the phone may even allow for data transportation at all hours of the day, tracking us constantly, sending unencrypted data, or storing data on the phone that we have no idea how to access.
Because mobile devices are such an integral part of our lives, we must pay close attention to the data stored on our device or transmitted from our device to a server or cloud provider. Mobile applications are used to make our lives easier or communicate better with other people – we use an application almost every day, but these applications are not without flaws. So, we ask ourselves, how are these mobile applications audited?
Security professionals audit mobile application using an emulator or personally owned mobile device. We arrange the device to allow us to view its internal workings by either jailbreaking (iOS) or rooting (Android) the device.
Jailbreaking or rooting an iOS or Android device allows us to break free of the manufacturer’s software, which grants us unfettered access to the inner workings of the device. This includes logs, files, and superuser access that would not be allowed for a normal user. Think of it as installing aftermarket parts on a vehicle. We also see how these applications interact with the phone, an external server, or a cloud provider that the application developers use for the transmission and storage of data.
Consider an app that most companies use on a day-to-day basis – Microsoft Teams. Teams is an instant messaging app for companies and organizations. According to an article by PortSwigger.net, Microsoft Teams had “multiple vulnerabilities” that “could spoof URLs, leak IP addresses.”
We see that even popular applications installed on a mobile device can have vulnerabilities that may leak personally identifiable information (PII) or share data that should not be shared. Sending that one message to someone or sending a transaction with a banking application may have unknown repercussions. Therefore, mobile application penetration tests must be performed to ensure that security is both adhered to and maintained.
We, as users, can perform certain tasks to ensure that our mobile phones and applications are secure:
- Periodically audit permissions associated with every application.
- Ask yourself, does a financial mobile application need permission to check to see if the battery on your phone is low? Does a financial mobile application need to check your location? This also goes for installing an application from the various mobile application stores.
- Ensure that your mobile device uses a strong alphanumeric passcode.
- Do not connect to public wireless networks, use cellular data if possible.
- Always update to the latest version of the operating system and mobile application.
- Verify that the application on the Play Store or Apple Store is not malicious in any way. Reviews can be a telltale sign that an application has malicious intent.
- Do not store any sensitive information on the mobile device, such as passwords on a note app. These can be viewed if the device has been stolen or compromised.
Mobile application security isn’t just for developers, but rather a team effort to ensure that the mobile applications we install on our phones do not lead to compromised sensitive data. These activities help to improve your awareness and reduce exposure as an end user of the applications. However, the security picture is not complete without rigorous, in-depth penetration testing at the application level to ensure that users and their data are protected as you would expect. DenSecure can provide this testing and give you assurance.