Security Explained: Mobile Threats
2 September 2021
At Cyrex, we love debunking myths, clearing up misconceptions, and ironing out misunderstandings.
One such issue is the idea that mobile is somehow more secure than any other device. A bit like the misconception that anti-cheat is enough security, which we’ve discussed previously, this is untrue. Mobile is no less secure than any other device we use. So, let’s discuss its security.
Unsecure through confusion?
It’s quite ironic that one of the main causes of security concerns for mobile is a lack of awareness. And thus, security is more lax, which worsens the problems for developers and users alike.
We’ve discussed the threats that any digital space can come under. From threats to the games' industry to the threats on the blockchain, all of these still apply to mobile. It isn’t a magical closed space that is untouchable by hackers.
Mobile applications are often less secure by design due to developers believing that these mobile apps run on a more closed environment. Unlike PC or Mac, where end users have full access, mobile certainly has more limitations to the average user. But there’s just a few extra steps hackers need to take before they can access what they need.
Root around and start the jailbreak
The beginning of mobile hacking is accessing the underlying system. This is done via ‘rooting’ on Android or ‘jailbreaking’ on iOS. It’s the same process effectively, just different based on the OS and architecture.
Once this is done, the user is now able to go past the user landscape what we normally see, and access the very base level of the system. From there, they can start hacking and tampering.
We often see a few common vulnerabilities or easily exploitable elements. For example, insecure storage is a very common problem. Once compromised, it immediately puts any and all passwords, personal, and financial data at risk.
We also find many vulnerabilities occurring due to weaknesses in server-side communication. The communication layer can be a dangerous place to let hackers in, which we’ve talked about before.
For mobile games, there are two scenarios. Your online games, where you need an active online connection. And the mainly offline games, like CandyCrush, where you only occasionally need a connection to update a leaderboard.
The former is vulnerable, as any online game is. With the actions of hackers having a direct impact on other players and the state of the game. Combating hackers in this field is down to properly implemented server-side security, something we believe is key to stopping these abuses.
For offline games, there is effectively nothing stopping hackers. While no other players will be impacted, the lack of server-side authentication means that microtransactions can easily be abused. They are unsecure by design, and only including some form of server authentication would they gain a semblance of security.
Most vulnerabilities in mobile security are more common in iOS than on Android. This is due to the open nature of Android. Therefore, anyone developing on the platform understands that there is a greater access to behind the scenes. Whereas, on iOS, it’s considered to be far stricter and closed. Meaning, many developers ignore security as a priority.
Why is mobile so unsecure?
As we mentioned before, it’s down to common misconceptions in part. This misconception fuels the actions of developers, who neglect security and further exacerbate the problem.
Developers instead focus on the inclusion of further content, features, and functionalities. This isn’t a bad thing. However, when it’s done in lieu of proper security, it leads to serious security problems. Security being neglected isn’t a mobile exclusive behaviour either, despite the outcome of this behaviour being wholly negative throughout every industry.
They will return, and in greater numbers
Finishing up, we wanted to reiterate the threat of mobile hacking. Not just the issues of neglecting security, but the pure volume of hackers targeting mobile.
It’s another misconception, simply because it isn’t reported on as much. There are hacking communities of a staggering scale focusing on mobile. After all, once you’re bored with hacking web applications, mobile is the next step. It’s one of the most populated targets for hackers.
This is something we, as developers and security professionals, must be aware of. Because once they get bored with mobile hacking they’ll move onto desktop and traditional games, and consoles. After that, even IoT devices.