Skip to main content
Version: Next

Mobile attacks

Mobile threats

  • Takes advantage of the lack of security control in smartphones
  • Can also be caused by a malicious app
  • Older OS versions have known vulnerabilities
    • Patched in newer versions but users may not update them.
    • Vendors may not update phones after a while, maybe before warranty period.
  • Vendors having own modified version of Android increases security risks
  • Data transmission threats through Bluetooth, WiFi, 3G/4G/5G or wired connection to a computer.

Attack vectors

Attacks on the device

  • Malicious code signing
    • Obtaining a code-signing key from the code signing service to create a malicious application
  • JAD File Exploit
    • Attacker crafts a .jad file with spoofed information
    • Java Application Description (.jad) contains attributes of Java application

Browser-based attacks

  • Framing
    • Integrating another page through iframe element of HTML
    • Enables clickjacking to steal information
  • Man-in-the-Mobile
    • Also known as • MitMoMan-in-the-Phone
    • Malware to spy on e.g. SMS OTPs (one-time passwords) or voice calls and relay them back to the hackers
  • Buffer Overflow
    • Caused by not truncating input data when it's longer than the reserved space and leads to overwriting other data in memory.
    • 📝 Both iOS and Android are vulnerable as they use C/C++ in their kernels
  • Data caching
    • Inspected to gain sensitive information stored in them
  • Clickjacking

Phishing

  • Redirecting uses to legitimate looking malicious sites through e.g. pop-ups, emails
  • Mobile users are more vulnerable due to smaller size of the browsers, URLs, warnings etc.
  • See also Phishing | Social Engineering

Phone/SMS-based attacks

Application-based attacks

  • Sensitive data storage
  • No encryption / weak encryption
  • Improper SSL validation
  • Configuration manipulation
    • E.g. through external configuration files
  • Dynamic runtime injection
    • E.g. stealing data in memory
  • Unintended permissions
  • Escalated privileges
  • Access to device and User info
  • Third-party code
  • Intent hijacking
  • Zip directory traversal
  • Side channel attack
  • UI overlay/pin stealing
  • Intent hijacking
  • Clipboard data
  • URL schemes
  • GPS spoofing
  • Weak / no local authentication
  • Integrity / tampering / repackaging
  • Unprotected app signing key
  • App transport security

System attacks

  • Malware
    • Attacks the underlying system
  • No passcode / weak passcode
  • iOS jailbreaking
  • Android rooting
  • OS data caching
  • Accessible passwords and data
  • Carrier-loaded software
    • Through e.g. bloatware
  • No encryption / weak encryption
  • User-initiated Code
  • Zero-day exploits
  • Device lockout
  • Kernel driver vulnerabilities
  • Confused deputy attack
  • TEE/secure enclave processor
  • Side-channel leakage
  • Multimedia/file format parsers
  • Kernel driver vulnerabilities
  • Resource DoS
  • GPS spoofing

Network attacks

  • Wi-Fi
    • E.g. no-encryption or weak encryption
  • Rogue Access Point
  • Packet sniffing
  • Man-in-the-Middle (MITM)
    • SSLStrip: websites are downgrades to use HTTP
    • Fake SSL certificates issued by attacker
  • Session hijacking
  • DNS poisoning
  • BGP hijacking
  • HTTP proxies
  • Sidejacking
    • Listening to traffic to steal exchanged cookies to extract session IDs

Data center/cloud attacks

Web server attacks

Database attacks