Looking Forward to 2024 and Top Mobile Security & Privacy Trends in 2023

By

A conversation with Steve Schofield, Full-Time AppSec Developer and Part-Time Adjunct Teacher, and Ilya Dreytser, Head of Sales and Customer Engineering at Quokka

Navigating through mobile security is an evolving challenge both for developers and end users. Steve Schofield, a full-time application security developer and part-time adjunct teacher, and Ilya Dreytser, head of sales and customer engineering at Quokka, sat down for a conversation about the top 2023 mobile security and privacy trends and how to protect mobile users in 2024. Catch the highlights in this summary, and you can watch their full conversation here.

Apps with Malware

In 2023, there were trends of hidden malware in apps on the Google Play Store and Apple App Store. Contrary to belief, the mere presence of an app on these widely-used platforms does not guarantee immunity to malware. Even seemingly reputable apps, adorned with positive reviews, may harbor vulnerabilities.

Researchers and developers adopt various approaches to detect hidden malware in apps. Schofield and Dreytser discussed the utilization of decompilers and open source resources, emphasizing the dual nature of these tools as a “double-edged sword.” On one hand, this methodology proves beneficial for researchers, aiding in the identification of malicious intent and facilitating the removal of harmful apps from the app store. Conversely, there are downsides, as malicious actors can exploit the same tools, learning how these apps are implemented and finding ways to exploit their vulnerabilities. The use of open source tools, therefore, carries the potential for both positive and negative outcomes.

Android & iOS Misconceptions

Android is an open source operating system, which is why it can be seen as a less secure platform, allowing more potential vulnerabilities. Apple’s iOS has a reputation for being highly secure due to its closed operating system, making it less susceptible to exploitation. However, privacy issues can still happen on iOS devices. Though it can be more difficult to exploit, it is still doable. Addressing flaws in the iOS system is challenging for researchers due to its closed nature, causing vulnerabilities to stay hidden for longer periods of time. The chances of researchers discovering these vulnerabilities are lower compared to more accessible systems.

App Collusion

While there are standard app permissions, such as accessing the video camera, location, Bluetooth, or microphone, there are also app-specific “special” permissions that can be shared with other apps. There can be two seemingly completely separate apps – one has Internet permissions and the other has camera and audio recording permissions. In isolation, they both seem safe. As soon as both are installed on the device, both apps could now have Internet access and access to your camera and microphone by sharing special permissions. This is called “app collusion” and it is a serious cybersecurity threat.

Data Sharing

2023 also saw the proliferation of “ad tech” and the de-anonymization of the data. If a user is sharing their location and device ID with all of these different ad networks, that data can be bought in bulk. Dreytser discussed seeing examples from law enforcement, internationally and even within the US, where you could actually take large amounts of the ad tech data and narrow it down to where you can track an individual phone.

There were also several instances of mobile app companies sharing private information illegally in 2023. For example, Premom, a pregnancy tracking app, settled with the FTC because they were sharing private data with Google and with some servers in China. Additionally, The Weather Channel app settled their second lawsuit in three years with the FTC where, again, the mobile app was exfiltrating private information and sharing it out.

How Users Can Protect Themselves

Steve Schoefield introduces five ways a user can protect themself from malware and privacy issues going into 2024. Actively practicing these five steps helps maintain mobile “hygiene” and adds layers of security to the average person’s mobile device.

  • Uninstall Unused Apps: If an app is not actively being used, uninstall it. This frees up storage space and eliminates potential vulnerabilities associated with dormant applications.
  • Disable Unnecessary Location Access: For apps that don’t require location services, it is recommended to disable this feature. By limiting access, users can prevent unnecessary tracking and enhance privacy.
  • Disallow Cell Data Access: Restricting cellular data access for specific apps adds a layer of control. This step ensures that apps only connect to the internet when using Wi-Fi, minimizing potential exposure to unsecured networks.
  • Disable Background Refresh: Disabling background refresh for apps conserves battery life and improves data safety. This reduces the risk of background processes posing security threats.
  • Use Mobile Device Management: For individuals associated with enterprises or companies, utilizing an MDM solution enhances security. MDM also allows centralized control over mobile device policies, ensuring a standardized and secure environment.

Additionally, Dreytser and Schofield discussed the importance of protecting yourself from man-in-the-middle (MiTM) attacks on public Wi-Fi networks. A MiTM attack can occur when you connect to such a network and another individual positions themself as an intermediary in online communication. If information is protected and properly encrypted, the man-in-the-middle will not be able to intercept encrypted traffic. However, there are some apps that have flaws. It is essential to know which apps on a user’s mobile device are susceptible to man-in-the-middle attacks and know how to protect oneself by not joining these open networks or by using a Virtual Private Network (VPN). This knowledge empowers users to take proactive measures and enhance the security of their online activities.

Maintaining mobile hygiene should be equivalent to household practices, like changing smoke detector batteries, especially when that mobile device is also used for work activities and the impact of an attack is exponential. By adopting these practices, users can reinforce their defenses against potential threats and limit the rippling effects of a breach.

However, it can be difficult to stay on top of all the different attack vectors, and organizations shouldn’t assume that their employees have perfect mobile security hygiene. Quokka offers solutions to help organizations protect their employees and data:

  • Q-Vet is a mobile app vetting solution that gives deep insights into the security and privacy posture of any 3rd party app for pass/fail decision making before app deployment—without needing access to source code—to ensure the integrity of your enterprise network. Q-Vet allows an organization to maintain an inventory of company-approved apps for allowed deployment to employees. Likewise, block any apps that do not meet corporate security standards.
  • Q-Scout prioritizes BYOD and privacy concerns to help IT Teams secure business-related applications on corporate and personal devices while preserving the data privacy of employees. This solution offers app-based policies that set a basic level of security for devices with Q-Scout installed, ensuring secure access to company data and files. By enabling employees to choose to install business apps on their personal devices and allowing users to self-remediate any policy violations, Q-Scout fosters a level playing field for the use of personal devices in work-related tasks.

How App Developers Can Protect Their Code

Ensuring the security of mobile app users involves implementing layers of defense against potential malicious activities. Schofield discusses obfuscation, encryption, code signing, cryptography, and penetration testing, and how these processes can contribute to a safer app ecosystem. Protecting code during the development process will save developers time and money and ensure security for the user.

Q-MAST is the industry-leading mobile app security testing solution with a unique combination of advanced analysis engines that dig deeper and test more thoroughly than any other MAST solution in the market. Q-MAST is a fully-automated Mobile Application Security Testing platform, detecting security, privacy and code quality issues on iOS and Android Apps without needing to access any source code. Vetted by the NSA, we support the highest compliance standards including NIAP, CCPA, GDPR, NIST, and OWASP MASVS.

To learn more about how Quokka is helping to protect the mobile ecosystem, contact us.

Related Content