A mobile attack can be done through a device or through the network. A device-based attack is simple and straightforward. For instance, when a laptop is stolen, an attacker can access the system and pull data from it. The presence of unencrypted credentials and sensitive data stored in the cache are the most common targets of this kind of attack.
It is also very important to test how a mobile application handles input information. In fact, parsing user-provided input in the form of URLs and other content found in emails, MMS messages and text messages can be a problem on mobile applications.
Malware and other harmful Software
Malware installation is another way devices can leak information or become compromised completely. Man-in-the-middle (MiTM) visibility into user transactions occur when attackers install malicious certificates, perform modifications and even reconfigure proxy settings in the device. Android platforms are particularly vulnerable to this type of attack. Simple and legitimate applications can be modified to include a hidden channel that sends activity from a victim’s device to the attacker.
Malware code is often skillfully written so its functionality can look standard to automated tools like code scanners. Working alone, an automated scanner could miss an application with data smuggling software completely. However, if someone were to do a manual review of the code, they would discover that when local content is scanned, it is followed by an outbound connection to a location that is not its primary server destination. Another way to detect this outbound connection is by letting the application run in its normal environment, such as on a test device. Thus, it is critical to perform both a manual and an automated review of the code.
How network based attacks happen
Network-based attacks done through the capture and/or the modification of mobile network traffic by attacker are very dangerous for mobile applications. Wi-Fi in public places are particularly problematic because the majority of mobile applications switch to Wi-Fi once it is detected. Tools such as Firesheep can then be used to pull sensitive information quickly and remotely.
One of the biggest problems is that mobile application developers, like many of their web application counterparts fail to secure the sensitive data they use properly. Many of them encrypt only the login information and then quickly switch to cleartext. Others use ill-secured TLS/SSL certificates that fail to use encryption in their interactions. These mistakes leave the application vulnerable to credential-stealing attacks.
A combination of static and dynamic techniques is the best way to effectively analyze the network communication used by an application. Code review can easily expose the protocols utilized to communicate over the network and dynamic testing done by running the application in a lab set up can confirm the activity.
In the next post, we’ll talk about server-based attacks and a rundown of how you can test your mobile applications properly.