Mobile application security is hard to get right, we’ve been repeating on every blog. While that much is no surprise to anyone, how bad things actually are, is. In continuation of our efforts to make the Android operating system more secure, we’re exposing 11 Android mobile application security facts that you will lose sleep over. Don’t worry, the idea is to learn from these and take corrective steps so that you can sleep better!
11 Mobile Application Security Facts You Need to Know
#1 Security lessons are easily forgotten
Security is a difficult topic, also because it naturally clashes with convenience. Thus human nature being what it is, these lessons are easily forgotten even by the likes of Google. A case in point is the Tapjacking vulnerability that existed in Android 4. While it was corrected in Android 6, it was suppressed in 6.0.1, leading to several high-end smartphones being at risk. The lesson here is that even the gatekeepers of security can become lax or get tempted to relax a few barriers. As such, your data's security is as much your responsibility as it is Android's.
#2 Your location is very easy to steal
The location feature enables a lot of cool things for apps to do, but also poses it at risk. It is incredibly easy for an app to steal your location. To safeguard yourself, switch off WiFi when it's not in use, and pay careful attention to it when apps request for location permission.
#3 The famous E-commerce apps are hopeless
How secure are the e-commerce apps by major companies? You'd think that big brands like them would obviously pay special attention to app security. Alas, they don't. And it's not about clever hacks and rare exploits we are talking about. We conducted an extensive study recently, which revealed that a shocking 95% of global E-commerce apps fail even the most basic security tests. How secure are your transactions, browsing, and data, then?
#4 Mobile application security is only getting worse
You will be forgiven to think that as more holes are plugged, mobile application security is getting better by the day. But the reality is completely opposite; in fact, more and more hacks are being uncovered and more apps are infected than ever before. A 2016 mobile application security report by Arxan confirms this: while more people than ever before feel that their apps are more secure, the numbers tell a different story. 90% of the apps Arxan tested for this report contained at least two major vulnerabilities. Looks like the focus everywhere is more on pumping out apps and getting revenue than inspecting what the apps themselves are up to.
#5 Organizations are not spending on security
The Arxan report mentioned before has another surprising discovery: 50% of the organizations that participated in their survey had an astonishing budget for security – zero percent! Yes, security is nowhere on the radar of at least half the global leaders, and spending on it is seen as a nuisance. One can only hope it changes soon!
#6 Even good apps can leak sensitive data
You don't have to keep an eye only on the malicious apps. The way mobile apps work, even the good ones are liable to leak your personal information when they communicate with their backend servers. This was revealed in a Faloutsos study, described here. This is alarming for the entire Android community, as it highlights that there are things going on in our smartphone that we can't even imagine.
#7 Unused apps are a big security threat
According to Google, 25% apps on the average smartphone lie unused. Unused, however, doesn't mean inactive. Unknown to you, these apps can still start a connection, scan your files and photos, and upload sensitive data to their mother ship. As this blog post by Cheetah Mobile reveals, your phone is most likely already affected by malware. The solution? Remove the apps you don't use at once, especially those that offered free tutorials/wallpapers and have been lying innocently every since.
#8 Not updating your Android system is the road to disaster
Let's be honest: nobody likes software updates in Android. The notifications are irritating, the downloads are too large, and the updates take forever to install. Does that mean we should give updates a miss? Absolutely not! The point of releasing an update is just that: critical issues have been found on your device, and the software update aims at patching them up. So what could go wrong if you don't update? Among other things, remote code execution. Certain versions of Android contain a code vulnerability where arbitrary code can be executed on your device. In other words, your device can be made to do just about anything at the attacker's whim.
#9 Patterns locks are not foolproof
Pattern locks promote a sense of security that is unmatched. Once we have decided on a pattern and locked the smartphone, we feel that nothing can harm our device. There are several problems with this, however. First, screen lock patterns are awfully common, and it's very likely that you've ended up with one of these patterns. But even worse, our fingers always leave a somewhat oily trail on the touch screen; if you were to look at the pattern against a source a light, later on, the pattern used to lock will be almost visible!
#10 Rooting or jailbreaking
While rooting your Android device is a lot of fun and opens many avenues of experimentation, it's also the single biggest security hole in your device. Lack of rooting is not a pernicious feature inflicted by profit-hungry corporations on the common person; rather, an absence of rooting limits the extent of damage that can be caused by an attacker once he has taken control of your device. For instance, reading stored WiFi passwords is not possible on a non-rooted phone, but is a cakewalk in a rooted Android.
Save your adventurous spirit for the biking trips and leave the device alone!
#11 The Bluetooth is not innocent
In today's time, the Bluetooth seems to have been forgotten. And so has been the fact that the Bluetooth connection can be on all the time. Does it even matter? For an experienced attacker, it does. Through Bluejacking (also known as Bluebugging), an attacker can use your Bluetooth connection and transfer all kinds of personal and sensitive data without your ever realizing it. Keep the Bluetooth off at all times!
History repeats itself, and application security history repeats more often than necessary. It is up to the community–platform makers, developers, and users to join forces and commit to raising the level of mobile application security.