Mobile attacks
Mobile threats
- Takes advantage of the lack of security control in smartphones
- Can also be caused by a malicious app
- Older OS versions have known vulnerabilities
- Patched in newer versions but users may not update them.
- Vendors may not update phones after a while, maybe before warranty period.
- Vendors having own modified version of Android increases security risks
- Data transmission threats through Bluetooth, WiFi, 3G/4G/5G or wired connection to a computer.
Attack vectors
Attacks on the device
- Malicious code signing
- Obtaining a code-signing key from the code signing service to create a malicious application
- JAD File Exploit
- Attacker crafts a
.jad
file with spoofed information - Java Application Description (
.jad
) contains attributes of Java application
- Attacker crafts a
Browser-based attacks
- Framing
- Integrating another page through
iframe
element of HTML - Enables clickjacking to steal information
- Integrating another page through
- Man-in-the-Mobile
- Also known as • MitMo • Man-in-the-Phone
- Malware to spy on e.g. SMS OTPs (one-time passwords) or voice calls and relay them back to the hackers
- Buffer Overflow
- Caused by not truncating input data when it's longer than the reserved space and leads to overwriting other data in memory.
- 📝 Both iOS and Android are vulnerable as they use C/C++ in their kernels
- Data caching
- Inspected to gain sensitive information stored in them
- Clickjacking
Phishing
- Redirecting uses to legitimate looking malicious sites through e.g. pop-ups, emails
- Mobile users are more vulnerable due to smaller size of the browsers, URLs, warnings etc.
- See also Phishing | Social Engineering
Phone/SMS-based attacks
- Baseband Attacks
- Exploits GSM/3GPP processor (exchanges radio signals with cell towers)
- See Mobile-based social engineering | Social engineering types including e.g. • SMS phishing (SMSiShing) • Fake security apps • Repackaging legitimate apps • Malicious apps
Application-based attacks
- Sensitive data storage
- No encryption / weak encryption
- Improper SSL validation
- Configuration manipulation
- E.g. through external configuration files
- Dynamic runtime injection
- E.g. stealing data in memory
- Unintended permissions
- Escalated privileges
- Access to device and User info
- Third-party code
- Intent hijacking
- Zip directory traversal
- Side channel attack
- UI overlay/pin stealing
- Intent hijacking
- Clipboard data
- URL schemes
- GPS spoofing
- Weak / no local authentication
- Integrity / tampering / repackaging
- Unprotected app signing key
- App transport security
System attacks
- Malware
- Attacks the underlying system
- No passcode / weak passcode
- iOS jailbreaking
- Android rooting
- OS data caching
- Accessible passwords and data
- Carrier-loaded software
- Through e.g. bloatware
- No encryption / weak encryption
- User-initiated Code
- Zero-day exploits
- Device lockout
- Kernel driver vulnerabilities
- Confused deputy attack
- TEE/secure enclave processor
- Side-channel leakage
- Multimedia/file format parsers
- Kernel driver vulnerabilities
- Resource DoS
- GPS spoofing
Network attacks
- Wi-Fi
- E.g. no-encryption or weak encryption
- Rogue Access Point
- Packet sniffing
- Man-in-the-Middle (MITM)
- SSLStrip: websites are downgrades to use HTTP
- Fake SSL certificates issued by attacker
- Session hijacking
- DNS poisoning
- BGP hijacking
- HTTP proxies
- Sidejacking
- Listening to traffic to steal exchanged cookies to extract session IDs
Data center/cloud attacks
Web server attacks
- Platform vulnerabilities in OS and server software
- Server misconfiguration
- Cross-site scripting (XSS)
- Cross-site forgery (XSRF)
- Weak input validation
- Brute force attacks
- Cross Origin Resource Sharing
- Side channel attack
- Hypervisor attack
- VPN
Database attacks
- SQL injection
- Privilege escalation
- Data dumping
- OS command execution