Mobile apps are gateway to hacking schemes

mobile apps

Most of us have a fairly clear idea on how mobile apps work. One downloads their favorite mobile apps for free from the app store and in return we are shown annoying advertisements. Sounds like a fair trade for something free? Well shocking news but it is not.

Your idea of fair trade is vague and the reality is much more privacy intrusive than it seems. The bargain you make for free apps usually gives the mobile app maker a great deal of your personal information. Mobile apps collect a vast amount of data from your phone. Some of this information includes your location, contact lists, schedules, identity, browsing history and much more. Now, this information is shared with the mobile advertising networks almost instantly. This data is then used by them to determine which advertisement is bets to be placed in front of the user at given time and place. For example, if you search for makeup in your Google browser on mobile then later on your phone applications will display ads similar to the makeup you were searching online.

In short, this great bargain your make with the apps is not really for the apps but is a step closer towards intrusive mobile surveillance. Users agree to the term and conditions offered by the apps without even reading them fully. In agreement of this free, ad-sponsored mobile app the users have consented to an economic model that follows a continuous and comprehensive personal surveillance. A common term used for this is stalker economy.

Read: Your digital transaction might be a hacking trap

Proximity marketing and mobile apps

Proximity marketing is a concept which should be understood in better understanding the dynamics of giving out our personal information to advertisers. Our location and behavioral data given to marketers help them chalk out consumer identity. If the advertisers know who we are and where we are along with what we are doing then they will deliver more effective ads. Marketing is selling the product at the right time to the right audience. Advertising subliminally brainwashes us into buying products even when we don’t need them.

Now, all of this sounds more annoying than something to worry about. But this system has enabled major retailers to know personal information about a person before anyone else. Your phone is the first place where you would search for information. For example, a pregnant woman might tell her friends and family later but here internet search history correlating with her time would let the retailers know first. The retailers will then be able to target her directly through phone, mail, or email when she is near a point of sale. The economic incentives for app developers and advertisers are so strong that this collective intrusion into our privacy will not go away sooner (if ever).

Read: Anonymous hacks the dark web

Examples of consumer surveillance through mobile apps

Consumer surveillance is creepy and weird. It threatens not only personal privacy but also enterprise security. The threats put into action are much more simpler than they seem. Personal mobile services and devices invade the world of business. Any leak from those devices are opened doors into corporate hacks, stolen business data and cyber attacks which leave everything exposed and vulnerable. For example, the hack of Ashley Madison and recently Yahoo.

Another elaborate example of this is if corporate employees sync their work calendars and email accounts with personal mobile devices. This opens up a gate of risks. Employees’ phones can be used to access the contact information of everyone else in the organization. Also mobile apps downloaded on the phone request access to the personal contacts of the employee and calendar which further gives them access to the names and title of company employees as well as the dial-in codes for private conference calls. Malicious apps and even worse hackers can easily use this information in a phishing attack.

The case is worse in our current advertising times. Many apps monetize on their user base by sharing data with ad networks which gather it from other sources/apps as well. This combine data from every network is shared with others and it is impossible to know where the data is going. We are not even if sure if this data is being handled in a secure fashion or not by parties that have access to it. All of this careless sharing means that hackers do not even have to directly hack a corporate employee phone. A hacker can just hack an ad network which has information about millions of users and proceed from there.

Water-hole attacks through geo location in mobile apps

A water-hole attack can also be used to steal information from enterprises. For example a number of two or three executives from a corporate have lunch together at a local restaurant on regular basis. A hacker can access their geo-location and easily know everything. The attacker can then access the website of the restaurant and is able to compromise it. This can only be done if he assumes that the executives are making reservations through the website of the restaurant. He will then successful breach the executives phone.

A hacked phone is not just a threat to the employee but to the entire organization. If information gets in the wrong hand about the company emails, documents or any other sensitive information, it will have devastating impacts on the organization.

What can we do to fight the threat?

The very first thing is being visible about the mobile phones. Organizations should know which apps the employees are using and what those apps demand from the user. Also make sure that they comply with the security policies of the organization. Make sure to know what sort of apps the employees are using and whether or not they are encrypted. If you’re not keeping an eye on this then you’re taking a huge risk.

Steps that can prevent major breach of information

Emerging concepts also include making mobile policies. Most organizations have policies for platforms such as social media but it is time to make one for mobile devices. These policies should include managing firewalls and sharing data with partners. For example, if an employee is using free version of the app with lots of ad then it is up to the company to make sure that they upgrade to the paid version of the app. This will minimize and eliminate the unsanctioned data being sent to the employees in the form of ads. However, this does not eliminate the collection of personal and private data.

Read: Will end to end encryption stop hackers on Messenger?

Education and awareness is the most important part of this. The best protection tool is to empower the users by equipping them with the tools and training to make better decisions about the apps that they download and use on their phone. Mobile security solution is another terrific option for this. It is necessary to know from where the information is leaking which makes it important to have a mobile threat protection solution. Therefore, it is imperative that the organization and enterprises have a mobile threat protection system in its overall security strategy. This will protect the individual and company from the impending threat of mobile surveillance and data harboring.

Image via Indie Leak