There are two things wrong with the preconception that cyber criminals rely on tacky, free mobile apps to get victims to leak their financial details, so that the criminals can then empty their bank accounts.
First, mobile data leaks also happen via many popular, well-perceived app brands. Second, financial data is only one part of the treasure trove for cyber criminals, who may find even richer gains by using additional, non-financial, personal data.
Granted, mobile apps in the adult content category were identified by a recent study by the Wandera corporation as constituting one of the least secure categories concerned, with 80% of the top adult content apps and websites leaking personal information. However, 60% of leaks of all consumer information have been coming from news, sports, and shopping apps, and almost another 30% from travel entertainment, lifestyle and technology applications and mobile websites. Risks do not abate for business apps either, where usernames and passwords can also be leaked.
But if personal data other than financial information is being leaked, is that really a problem? The answer is a resounding yes. Not only is there the fundamental issue of privacy, but purloined personal data can also be used to spread malware in spear-phishing attacks on people you know, using your name and information to trick the targets into falling for the attack. It can be used for identity theft, fraudulent tax rebate claims, and bogus financial loans, possibly causing more loss and damage than a direct attack on a bank account. It can even allow hackers to see how a mobile device has handled different types of malware so far, and how modified malware could perhaps overcome the current defenses.
Don’t rely on end user discipline to sort things out. People often accept requests for permissions without question, when a mobile app is being installed, and even more so when that app comes from Google Play or the Apple Store. The personal data that is then leaked from the device can end up anywhere on the web, being sold to advertisers, resold to hackers, filched by criminals, and so on.
The problem must be examined at the source, if effective solutions are to be found. One reason for data leaks is that cyber criminals set up fake Wi-Fi hot spots to pretend to be a trusted network and then capture data. Anything that is sent in clear text will be easy pickings. Another reason is that the code of the mobile app is flawed, either because of design oversights or because mobile app release schedules are so rushed that developers fail to include the necessary security testing.
All these causes are addressed by AppInterrogator, which rapidly spots and alerts development teams to security issues, allowing them to run comprehensive security checks, even within tight release schedules. Mi3 Security’s Recon service in the cloud lets non-developer entities, whether businesses or individuals, check the security rating of an app they are considering for use, before deploying it and engaging with it. We may still be fated to live with end user ignorance of security precautions, but in this way, we can at least limit its impact by helping users to simply avoid suspect or dangerous apps and their risks of data leaks.