The document discusses the security threats associated with mobile apps and devices, emphasizing the vulnerabilities present in Android and iOS systems. It explains various forms of attacks, such as malware and phishing, as well as outlines security measures like static and dynamic analysis, app permission control, and mobile device management (MDM). Additionally, it highlights the importance of designing apps with security in mind to protect sensitive data.

1. MOBILE APPS AND
SECURITY ATTACKS
An Introduction

2. What is security?
• We have locks on our doors
• We have security personnel for our residential societies
• We have police for the city
• We have armed forces for our borders

3. What is security?
• What is precious to you?
• Know how someone can attack
• Think how you can protect

4. Mobile device is the biggest
threat vector
• Approximately, more than 3 billion iOS and Android mobile devices are now in market
• Mobiles have critical data:
• Personal
• Financial
• Social
• Corporate
• These devices offer minimum security (PIN, Pattern, Biometric)
Unfortunately, mobile users think that iOS and Android OS provide enough security.

5. Android Security
An Android’s
security is supported
by encryption,
signature, isolation,
and access control
security protection.
The Android app
signature system
ensures that the
app’s logic is not
tampered with, and
enforces a user to
recognize the
identity of the app’s
author.
Although Android
only installs and
runs a signed app, a
certificate is not
required by Google.
A hacker can create
and distribute
malicious app since
people will not be
able to track down
the source.
Attackers add Trojan
horses and malicious
code to an existing
legitimate app and
then re-sign the
updated version
with an anonymous
or fake certificate
and distribute it.

6. Possible
threats to
mobile
devices
• Hackers take advantage of vulnerability or flaw of user’s web
browser on mobile device in WiFi communication.
• Hackers send malicious code/data from malicious logic websites to
victim’s browser (after user browses the malicious page). The code
takes control and gets all sensitive data on the victim’s device.
Hackers use hyped content to attract, manipulate, or persuade people
into revealing confidential information through deception such as
phishing for information gathering, fraud, or access rights.
Social engineering
Network exploit

7. Virus hosted on a legitimate code, replicable spread
worms, Trojan horses with action in purpose
Email/SMS spam or denial of service
(A group of attacking devices send huge volume of
data to a target on the Internet to impact the
target’s services.)
Misuse of available resource and service
Malware
Possible
threats to
mobile
devices

8. Possible threats to mobile devices
Workplace data on a mobile device
may be uploaded to home PC while
synchronizing of entertainment
downloading or Enterprise/private
data loss due to stolen device
Enterprise/Private Data Loss
Intentionally modifying/corrupting device
data without the permission such as
device’s contact list
Data tampering

9. Popular Mobile Malware
• Spyware – steals user information with user’s consent somehow
• Trojan horse – steals confidential information such as credit card data
• Adware - displays unwanted pop-up ads with/without theft of sensitive data

10. a. Static analysis
Static analysis is a reverse engineering analysis approach to finding malicious characteristics code segments in an
app without execution. The analysis focus on these obvious security threats which have been reported before.
b. Dynamic analysis
Dynamic analysis will execute the suspicious mobile app in an isolated sandbox, such as a virtual machine or
emulator to monitor and inspect the app’s dynamic behavior.
c. App Permission analysis
Android security detects Android mobile app’s intentions through required permissions. The permissions required
should be clearly specified by app’s author, and should be justified based on the functionality provided by the app.
How we detect?

11. Use MDM tools to oversee
and control mobile devices
in secure operations
Store enterprise data
in sandbox
Encrypte enterprise data
on mobile devices
Keep apps current with
less vulnerabilities
and flaws
Routinely back up all apps
and upgrade OS
Authenticate and register all
mobile devices with Secure
Socket Layer (SSL) certificate
Adopt app blacklisting
within enterprise
Management on the lost
and stolen devices
Separate personal and
business accounts
Controls user access
Enterprise
Mobility
Bring Your Own Device (BYOD)
with Mobile Device
Management (MDM)

12. Do you design for security?
• Do you have clearly identified data in your app which is precious?
• Do you clearly anticipate the possible attacks that can steal data?
• How does your tech design enable protection of the data?
• How are you going to test the app for security?

13. Nagarro drives technology-led business breakthroughs for industry leaders and challengers. When our clients want to move
fast and make things, they turn to us. Some of our clients include Siemens, GE, Lufthansa, Viacom, Estēe Lauder, ASSA
ABLOY, Ericsson, DHL, Mitsubishi, BMW, the City of New York, T-Systems, SAP and Infor. Working with these clients, we
continually push the boundaries of what is possible to do through technology, and in what time frame.
Today, we are more than 5,000 experts across 20 countries. Together we form Nagarro, the global services division of
Munich-based Allgeier SE.
Sources
• https://www.macrumors.com/2017/05/17/2-billion-active-android-devices/
• https://www.utc.edu/faculty/li-yang/5.mobilethreatsattacks.pptx