ProjectMetrics

Project delivery in a constantly changing World

Current Threats to Mobile App Technology.

by · Published · Updated

In today’s digitally connected world, mobile apps have become an integral part of our lives, transforming the way we communicate, shop, bank, and access information. However, along with the convenience, mobile app technology also presents an array of security threats that can compromise users’ privacy and data. This article delves into the current threats that consumers face when using mobile apps and suggests ways to mitigate these risks.

Security Threats

1. Malware and Ransomware Attacks

Mobile apps are vulnerable to malware and ransomware attacks, where malicious software infiltrates the user’s device, leading to data breaches, financial loss, or unauthorized access to personal information. Attackers often exploit vulnerabilities in apps to deliver malware, compromising user data and privacy.

There are companies that are commercialisation this industry, sharing software that can be used to generate ransomware. Which allows individuals with limited technical skills to start to exploit common vulnerabilities. There is a developing trend of Malware as a service which is a disturbing development as the industry takes on the form of a professional corporation.

2. Data Breaches and Privacy Concerns

Data breaches in the technology space can result in the exposure of sensitive user information such as personal details, login credentials, and financial data. Poorly secured databases, insufficient encryption, and weak authentication mechanisms can expose users to identity theft and privacy infringements. A brief look over the last 10 years shows that this trend is only increasing with staggering amounts of data exposed.

Source: Upguard.com Top 10 data breaches

  • 2014: Yahoo: Yahoo believed that a “state-sponsored actor” was behind this initial cyberattack in 2014.
  • 2017: Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft
  • 2018: Aadhaar Data Breach: In March of 2018, it became public that the personal details of more than a billion citizens in India stored in the world’s largest biometric database could be bought online. In total, over 23 terabytes of data had been compromised from Alilbaba’s cloud hosting servers, Alibaba Cloud, also the largest public cloud service provider in China.
  • 2018: Mariiott Starwood: In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.
  • 2019: First American Financial Corporation Data Breach: In May 2019, First American Financial Corporation reportedly leaked 885 million users’ sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork. 
  • 2019: Verifications.io Data Breach: In February 2019, email address validation service verifications.io exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. 
  • 2019: Facebook: in April 2019, the UpGuard Cyber Risk team revealed two third-party Facebook app datasets had been exposed to the public Internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 533 million records detailing comments, likes, reactions, account names, FB IDs and more
  • 2020: Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records.
  • 2021: LinkedIn Data Breach (2021): Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.
  • 2022: Alibaba.com: In mid-2022, Chinese e-commerce giant Alibaba suffered a major data breach that contained customer data.

3. Phishing and Social Engineering

Cybercriminals use phishing and social engineering tactics to trick users into revealing confidential information. Mobile apps can be targeted with fake login screens or fraudulent messages, leading users to unknowingly provide their credentials to attackers.

This has netted attackers large sums of money for example between 2013-2015 Facebook and Google were tricked out of $100 Million due to an extended phishing campaign. The phisher impersonated Quanta a Taiwan based company that both tech giants used as a vendor issuing invoices that then Facebook and Google paid.

4. Insecure Network Connections

Public Wi-Fi networks are often unsecured, making users susceptible to interception of data during transmission. Attackers can exploit weak network security to eavesdrop on sensitive information exchanged between the user and the app.

A popular Firefox extension allows a hacker to hijack active browser sessions using this plugin by clicking on the victims name if they are unlucky enough to be on insecure wifi network in a public place.

5. In-App Advertisements and Tracking

Some mobile apps integrate aggressive advertising and third-party trackers, compromising user privacy. These trackers collect user behavior data, which is often used for targeted advertisements, potentially infringing on users’ digital rights.

Advertisers want to know as much information about there visitors. as possibles and app tracking is a multi-million dollar industry. Now Apple is one of the first firms to block 3rd party cookies and this is changing the landscape of how advertisers can track their potential customers.

6. Unverified App Stores and Sideloading

Downloading apps from unverified sources or sideloading apps can expose users to malicious software. These sources may not adhere to security standards, leading to the installation of compromised or counterfeit apps.

7. Outdated Software and Lack of Updates

Obsolete operating systems and apps without regular updates can leave devices vulnerable to security flaws. Cyber attackers frequently target devices with outdated software, as they are more likely to have known vulnerabilities.

Lastpass sucumbed to this attack when one of its engineers failed to update Plex on their home computer and hackers managed to use this to get access to Lastpass data.

Mitigating Threats and Enhancing Security:

  1. Download from Trusted Sources: Obtain apps from official app stores to reduce the risk of downloading malicious software.
  2. App Permissions: Review app permissions and only grant necessary access to personal data.
  3. Regular Updates: Keep operating systems and apps up to date to patch vulnerabilities and strengthen security.
  4. Use VPNs: When using public Wi-Fi, employ Virtual Private Networks (VPNs) to encrypt data transmission.
  5. Security Solutions: Utilize reputable mobile security apps that offer features such as anti-malware and anti-phishing protection.
  6. Multi-Factor Authentication: Enable multi-factor authentication where available to add an extra layer of security to your accounts.
  7. User Education: Educate users about safe mobile app practices, recognizing phishing attempts, and understanding app permissions.

As mobile app usage continues to rise, so do the threats that target unsuspecting consumers. By understanding these risks and taking proactive measures, users can make informed decisions, safeguard their data, and enjoy the benefits of mobile app technology without compromising their security and privacy.

Tags: