How Data Leaking through Poorly Written Applications?

Data Leaking through poorly written applications is day to day biggest concern but threat level is medium.

So How many apps do you have on your mobile device? If you can answer that question, then congratulations; that is impressive, but can you confirm what data these apps collect, and more importantly what they do with your data? It is unlikely that many can even answer the first question, let alone the proceeding questions. 

How Data Leaking through Poorly Written Applications?
How Data Leaking through Poorly Written Applications

This of course is hardly surprising when it is estimated the average number of apps downloaded by smartphone users equals 25 12 (and a whopping 40 in South Korea).

If we take this number and then consider research by security firm BitDefender, which found that based on analysis of the 836,021 applications in the Play Store (at the time of conducting the research), 1 in 20 was able to locate and open photographs on installed devices.

Equally, 1 in 30 divulged e-mail addresses over the Internet, with 1749 doing so over an encrypted connection and 1661 over an unencrypted connection. 

In addition, the research also found that almost 10% of apps had permission to read the contact lists on the mobile device without authorization of the user. 

Of course, there is no suggestion that the applications themselves are doing anything malicious, indeed for Android, the user is provided with details regarding the permissions the application is requesting. 

However, there is no doubt that the level of transparency regarding what happens with the data, how it is transmitted, and what happens with the data once collected does not have the same level of transparency. 

Data Leaking through Poorly Written Applications
Data Leaking through Poorly Written Applications

Indeed, if we review the data protection authorities‘ (Canada, Netherlands) investigation into WhatsApp, there is a disparity between what was stated (regarding how long data is stored and transmitted), and what happened.

The issue of leaky apps is a key problem, and the absence of transparency about how data are stored or transmitted poses an issue.  (data leaking)

Furthermore, the issue is compounded by the fact that consumers when provided with transparency (by at least knowing what permissions exist) either do not read or understand what data are being requested by the app in question. 

Therefore, the challenge for organizations in mitigating this particular threat is made considerably more difficult by an audience that does not understand the implications of allowing apps almost unfettered access to their devices and ultimately corporate data. 

A recently publicized example of this was demonstrated with the “Flappy Birds” application. 

data leaking
data leaking

Among its malicious behaviors, this clone does the following data leaking stages

  1. Makes calls without the user’s permission
  2. Installs additional applications without the user’s permission
  3. Allows an app to monitor incoming SMS messages, and to record or process them (undeclared permission)
  4. Sends SMS messages without the user’s permission
  5. Extracts SMS messages
  6. Sends data to a cell number via SMS
  7. Allows an app to read the user’s contacts data (undeclared permission)
  8. Extracts GPS location (latitude and longitude)
  9. Reads IMEI number and MAC address and transmits them to third parties (JSON) without user’s permission
  10. Sends user activity data to third-party sites

Allows an app to call the kill background processes(String) (undeclared permission).

Mobile Top Threats: Evil 8.0 To put the issue into context, the McAfee Labs team took a sample of 300 Flappy Bird applications, and of these, 238 were cited as malicious.

This is the tip of the iceberg but demonstrates the scale of the issue that is propagated by the simple acceptance of mobile applications without reviewing their permissions.

How to prevent data leaking through poorly written applications?

How to prevent  data leaking through poorly written applications?
How to prevent data leaking through poorly written applications?

1. Avoid giving out personal information

That text message that looks to be from your bank may not be. If you get requests via email or text for account information from any business, contact the business directly to confirm the request. The same advice goes for tapping links in unsolicited emails or texts.

2. Use a pin, password or pattern to lock your phone

Setting this up is easy. For most Android™ devices, go to your Location & Security Settingsfor instructions. iOS users can find these functions in the General options of their settings.

3. Download apps only from trusted stores

If you’re browsing for a new game or something more productive, use places such as Google Play. Make sure you check ratings and reviews if they are available, and read the app’s privacy policy to see exactly what phone features it will have access to if you download.

4. Back up your data

This is more about protecting and restoring your information should disaster strike. With google cloud storage you can save your contacts, music, pictures, videos and documents to the cloud.

5. Keep your operating system and apps updated

There are typically periodic updates to both of these that not only add new features, but also offer tightened security.

6. Log out of sites after you make a payment

If you bank or shop from your smartphone, log out of those sites once your transactions are complete. Other tips include not storing your usernames and passwords on your phone and avoiding transactions while you are on public Wi-Fi.

7. Turn off Wi-Fi and Bluetooth® when not in use

You think of them as ways to connect to something, but thieves can use them to connect to your device and access files.

8. Protect your investment

Losing your smartphone can be pretty stressful. Each day, 200,000 devices are lost, stolen or damaged. You might be surprised by the high out-of-contract price of replacing a lost smartphone with an equivalent make and model.

Hackers love targeting mobile devices, which are rich with personal data and payment card information.

Our results indicate that developers of mobile applications often neglect security, with the main issue being insecure data storage. User information stored in cleartext, unmasked data in screenshots, and keys and passwords in source code are just a few of the flaws that offer opportunities to cyberattackers.

Users themselves may unwittingly help to compromise their devices by expanding smartphone capabilities, disabling protection, opening suspicious links in SMS messages, and downloading software from unofficial sources.

Securing user data requires a responsible attitude on the part of both application developers and device owners.

Nor can we underestimate the role of server vulnerabilities.

Protection of mobile application servers is no better than that of clients. In 2021, every tested server-side component contained at least one vulnerability enabling various attacks on users, including impersonation of the developer in phishing emails, placing the developer’s reputation at risk. To prevent exploitation of server vulnerabilities, we recommend using a web application firewall (WAF).

Beyond client and server vulnerabilities, risks also include client–server communication. Data sent over an insecure protocol can be completely compromised. But even secure connections are not always safe. Developers still have yet to attain a deep understanding of the importance of security.

Protection mechanisms are the weak spot in mobile applications. Most of the discovered vulnerabilities were introduced during the design stage and result from failure to “think through” security-related questions. We recommend a methodical approach to designing and following through on mobile application security, regularly testing it starting from Day 1 of the software lifecycle. The most effective method is white-box testing, in which security analysts have full access to source code.

Conclusions

Hackers love targeting mobile devices, which are rich with personal data and payment card information.

Our results indicate that developers of mobile applications often neglect security, with the main issue being insecure data storage. User information stored in cleartext, unmasked data in screenshots, and keys and passwords in source code are just a few of the flaws that offer opportunities to cyberattackers.

Users themselves may unwittingly help to compromise their devices by expanding smartphone capabilities, disabling protection, opening suspicious links in SMS messages, and downloading software from unofficial sources.

Securing user data requires a responsible attitude on the part of both application developers and device owners.

Nor can we underestimate the role of server vulnerabilities.

Protection of mobile application servers is no better than that of clients. In 2021, every tested server-side component contained at least one vulnerability enabling various attacks on users, including impersonation of the developer in phishing emails, placing the developer’s reputation at risk.

To prevent exploitation of server vulnerabilities, we recommend using a web application firewall (WAF).

Beyond client and server vulnerabilities, risks also include client–server communication. Data sent over an insecure protocol can be completely compromised. But even secure connections are not always safe. Developers still have yet to attain a deep understanding of the importance of security.

Protection mechanisms are the weak spot in mobile applications. Most of the discovered vulnerabilities were introduced during the design stage and result from failure to “think through” security-related questions.

We recommend a methodical approach to designing and following through on mobile application security, regularly testing it starting from Day 1 of the software lifecycle.

The most effective method is white-box testing, in which security analysts have full access to source code.

Leave a comment

Copy link
Powered by Social Snap