If you’re like me, you’re probably alert to concerns about mobile app providers monetizing and sharing your personal information with third parties. And if privacy and apps are on your radar, you probably have noticed the increase of bad news when it comes to mobile apps getting hacked and suffering breaches. Most recent announcements have included the likes of comparison app Wishbone and dating app Mobifriends, the latter leaking personal information of 3.5 million users, including email addresses, mobile numbers, and MD5-hashed passwords.
Given that it’s not one type of mobile app being targeted, I was curious to know more about the hows and whys of apps getting hacked; and what users can do to protect themselves against mobile apps leaking their personal data. Lucky for me, I have first-hand access to the cybersecurity threat research experts of the Avira Protection Labs and Alexander Vukcevic was able to answer my questions.
Why are mobile apps so vulnerable to getting hacked and leaking user data? Are app developers doing something wrong or is it just extremely difficult to cover all the security bases necessary to prevent attacks?
Modern mobile apps are required to perform at high speeds, and because of this, app developers will change an app’s infrastructure, moving some of the security logic from the backend to the front-end. This means that the security logic or sensitive information is now built outside the typical network security systems, thus putting them at risk. In most cases, mobile app developers are not aware of secure coding techniques and poor coding or mistakes create exploitable vulnerabilities.
Often the data leaked by a mobile app breach is users’ real names, gender, date of birth, email addresses, IP addresses, and device details. How do hackers profit off this information? And should we be entering fake information when possible as a layer of protection?
Consider that just name and email information are enough for hackers to attempt a spear-phishing attack, and an unsuspecting user can further install malware on a laptop by opening the email and clicking on malicious links.
Entering fake information cannot be considered a layer of protection. Instead, we recommend security-awareness trainings, both for individuals and companies as this may give each potential victim a fighting chance.
In my own research I found contradictory information about whether it’s a good idea or bad idea to register and sign in on a mobile app with Gmail or Facebook credentials. What’s your opinion?
Each time a user registers and signs in on a mobile app with a normal account, the users is trusting that app to take the necessary steps to protect their e-mail, phone number, mailing address, etc.
When signing on with another service’s account the app doesn’t keep the password or other information. You are redirected to a page, authenticate against the other account’s servers, which then tells the app that yes, you are who you say you are and gives back control to the app. The app just gets a token which says, “user logged in successfully, let through.”
This means a user moves from trusting the app to trusting Google or Facebook to take the necessary steps to keep their information secure, including detecting any suspicious activity. Google and Facebook are not the same and you may choose to trust one but not the other.
Of course, you have your own part in securing that account too, like using a strong and complex password and enabling two-factor authentication. We believe it is a good idea to authenticate with another account in the app if you have that option.
Sometimes it’s the app itself which is the problem. Many imposter and fake apps are available for download despite the controls in place by app stores like Google Play and the iOS App Store. Why, or how, do app store fail to detect malicious apps?
The honest answer is that you need an antivirus solution in order to detect malware and fake apps. Google has its own mobile antivirus solution, but if you look at independent tests like AV-Test for example, Google’s is the worst performing mobile security solution. In contrast, Avira obtained the highest score in all categories in the last AV-Test mobile security testing.
Can you share anything about what the Protection Labs is currently researching regarding mobile app threats? Anything users should be on special alert for?
We are currently in the process of implementing new technologies like a machine-learning based layer of protection. Users should also be on alert for Stalkerware apps, you can read more about it on our blog.