Navigating through mobile security is an evolving challenge both for developers and end users. Steve Schofield, a full-time application security developer and part-time adjunct teacher, and Ilya Dreytser, head of sales and customer engineering at Quokka, sat down for a conversation about the top 2023 mobile security and privacy trends and how to protect mobile users in 2024. Catch the highlights in this summary, and you can watch their full conversation here.

Apps with Malware

In 2023, there were trends of hidden malware in apps on the Google Play Store and Apple App Store. Contrary to belief, the mere presence of an app on these widely-used platforms does not guarantee immunity to malware. Even seemingly reputable apps, adorned with positive reviews, may harbor vulnerabilities.

Researchers and developers adopt various approaches to detect hidden malware in apps. Schofield and Dreytser discussed the utilization of decompilers and open source resources, emphasizing the dual nature of these tools as a “double-edged sword.” On one hand, this methodology proves beneficial for researchers, aiding in the identification of malicious intent and facilitating the removal of harmful apps from the app store. Conversely, there are downsides, as malicious actors can exploit the same tools, learning how these apps are implemented and finding ways to exploit their vulnerabilities. The use of open source tools, therefore, carries the potential for both positive and negative outcomes.

Android & iOS Misconceptions

Android is an open source operating system, which is why it can be seen as a less secure platform, allowing more potential vulnerabilities. Apple’s iOS has a reputation for being highly secure due to its closed operating system, making it less susceptible to exploitation. However, privacy issues can still happen on iOS devices. Though it can be more difficult to exploit, it is still doable. Addressing flaws in the iOS system is challenging for researchers due to its closed nature, causing vulnerabilities to stay hidden for longer periods of time. The chances of researchers discovering these vulnerabilities are lower compared to more accessible systems.

App Collusion

While there are standard app permissions, such as accessing the video camera, location, Bluetooth, or microphone, there are also app-specific “special” permissions that can be shared with other apps. There can be two seemingly completely separate apps – one has Internet permissions and the other has camera and audio recording permissions. In isolation, they both seem safe. As soon as both are installed on the device, both apps could now have Internet access and access to your camera and microphone by sharing special permissions. This is called “app collusion” and it is a serious cybersecurity threat.

Data Sharing

2023 also saw the proliferation of “ad tech” and the de-anonymization of the data. If a user is sharing their location and device ID with all of these different ad networks, that data can be bought in bulk. Dreytser discussed seeing examples from law enforcement, internationally and even within the US, where you could actually take large amounts of the ad tech data and narrow it down to where you can track an individual phone.

There were also several instances of mobile app companies sharing private information illegally in 2023. For example, Premom, a pregnancy tracking app, settled with the FTC because they were sharing private data with Google and with some servers in China. Additionally, The Weather Channel app settled their second lawsuit in three years with the FTC where, again, the mobile app was exfiltrating private information and sharing it out.

How Users Can Protect Themselves

Steve Schoefield introduces five ways a user can protect themself from malware and privacy issues going into 2024. Actively practicing these five steps helps maintain mobile “hygiene” and adds layers of security to the average person’s mobile device.

• Uninstall Unused Apps: If an app is not actively being used, uninstall it. This frees up storage space and eliminates potential vulnerabilities associated with dormant applications.
• Disable Unnecessary Location Access: For apps that don’t require location services, it is recommended to disable this feature. By limiting access, users can prevent unnecessary tracking and enhance privacy.
• Disallow Cell Data Access: Restricting cellular data access for specific apps adds a layer of control. This step ensures that apps only connect to the internet when using Wi-Fi, minimizing potential exposure to unsecured networks.
• Disable Background Refresh: Disabling background refresh for apps conserves battery life and improves data safety. This reduces the risk of background processes posing security threats.
• Use Mobile Device Management: For individuals associated with enterprises or companies, utilizing an MDM solution enhances security. MDM also allows centralized control over mobile device policies, ensuring a standardized and secure environment.

Additionally, Dreytser and Schofield discussed the importance of protecting yourself from man-in-the-middle (MiTM) attacks on public Wi-Fi networks. A MiTM attack can occur when you connect to such a network and another individual positions themself as an intermediary in online communication. If information is protected and properly encrypted, the man-in-the-middle will not be able to intercept encrypted traffic. However, there are some apps that have flaws. It is essential to know which apps on a user’s mobile device are susceptible to man-in-the-middle attacks and know how to protect oneself by not joining these open networks or by using a Virtual Private Network (VPN). This knowledge empowers users to take proactive measures and enhance the security of their online activities.

Maintaining mobile hygiene should be equivalent to household practices, like changing smoke detector batteries, especially when that mobile device is also used for work activities and the impact of an attack is exponential. By adopting these practices, users can reinforce their defenses against potential threats and limit the rippling effects of a breach.