Dangers of mobile devices, WhatsApp

By Peter Kisitu

Today's corporations manage a workforce armed with multiple mobile devices. These devices increase the number of vectors open to cyber-attacks and make corporate information more exposed than any other time in corporate history!

This exposure is attributed to theft or loss of devices, weak android security, and the share-ability of information. To counteract these threats organizations must revise their ICT security while service providers must provide security from a network perspective. Below are some of the threats associated with mobile devices.

WhatsApp

In 2015whatsApp introduced a web version that replicates the experience of the mobile app on a PC. This however, brought with it new security threats. Check Point, a cyber-security firm, discovered that hackers could use whatsApp web to distribute malware such as:

a) Ransom ware which forces victims to pay a ransom to regain access to their systems and data;

b) Bots which causes systems to slow down to a crawl and

c) Remote Access Tools (RATS) which gives hackers remote access to the victims PCs.

The new encryption feature on whatsApp does not address privacy concerns as rogue attackers are still able to identify the recipient, sender, and even the time stamp. Also, the government may ask and get this information. The fact that WhatsApp is owned by Facebook increases the exposure of WhatsApp users because Facebook monitors and tracks user data to augment its own offerings so it will do the same for WhatsApp.

Bluetooth

This is a wireless communication protocol used for short-range transmissions. Bluetooth is one of the most widely used and preferred attack techniques for infecting smartphones because by pairing Bluetooth-enabled devices, hackers are able to access infected phones' critical applications and files, such as e-mail, contact lists, pictures, and any other private data stored on the smartphone . When two Bluetooth-enabled devices communicate after establishing a trusted relationship, all the information is left on both devices, even after the session is ended. This loophole allows hackers to have full access to the device, without the owner's knowledge or consent.  This device-based authentication makes smartphones vulnerable to direct attacks and threatens privacy and critical personal information. In this case user based authentication can elevate security.

SMS

Short Message Service is widely used and contrary to popular belief that SMS cannot be attacked,  recent studies have shown that SMS can contain confidential information that is exposed to attacks due to lack of security services by the cellular network. SMS suffers from exploitable vulnerabilities, such as lack of mutual authentication methods and non-repudiation. Non repudiation means that a transferred message has been sent and received by the parties claiming to have sent and received the message. Authentication is the process of identifying an individual based on a username and password.

An SMS that is sent from a sender to a receiver cannot be mutually authenticated by both parties.  Also, senders who send SMS cannot be held accountable for their sent SMS because there is no mechanism that could be implemented to ensure the sender's true identity. The weak security implementation of SMS can also be used as attack mechanisms by hackers, where an arbitrary computer can be used to inject SMSs into the network, thus exposing smartphones to risks. In addition, SMSs are susceptible to man-in-the middle attacks while they are being transmitted over the air.

The Android Security Model

Android is a mobile operating system developed by Google. It is based on the Linux kernel and is designed primarily for touchscreen mobile devices such as smartphones and tablets. It is a multi-process system where each application runs its own process and Linux facilities enforce security between applications and the system at the process level; those applications are assigned by users and group Ids. Applications are restricted in what they can perform by a permission mechanism that uses an access control.

Android uses security policies to determine whether to grant or deny permissions to applications installed on the Android operating systems. Those security policies suffer from shortcomings in that they cannot specify to which application rights or permissions are given because they rely on users and the operating system to make that guess. They are therefore taking the risk of permitting applications with malicious intentions to access confidential data on the phone.

For example, the online payment platform PayPal asserts permissions that must be granted to the other applications that use its interfaces. In this case it is hard to verify whether a PayPal   application is legitimate or not because there is no way to determine whether this is the actual PayPal. Again, Android lacks security measures to determine and enforce how, when, where, and to whom permissions are granted.

Cyber-attacks on smartphonesare as bad as attacks on PCs. Mobile apps rely on the browser to operate, and as a result, the occurrence of web-based attacks on mobile devices is on the increase. To be sure, firewalls alone are no longer enough. Therefore, companies must take every step to re-evaluate their security layers and where possible seek the help of consultants.
 

Jealous husbands, wives and lovers compound the problem by installing spywares on their partners' phones. This spyware relays a copy of each message sent and a call log to a designated number or email address. The new threats call for new security measures where inaction can lead to colossal financial costs, emotional distress and reputational damage.

Peter Kisitu holds a Master of Business Information Management from Université Libre De Bruxelles in Belgium

He works at Van Ben, a social media company that helps organizations to reap the benefits of social media.
Contact: e-mail: kisitu25@gmail.com