mobile security

1. HC/RO. Tapan Kumar Khilar

2. Introduction
The term mobile security is a broad one that covers
everything from protecting mobile devices from
malware threats to reducing risks and
securing mobile devices and their data in the case of
theft, unauthorized access or accidental loss of
the mobile device.

10. Application security
 Application security describes security measures at
the application level that aim to prevent data or code
within the app from being stolen or hijacked.
 Application security may include hardware, software,
and procedures that identify or
minimize security vulnerabilities.

11. End-User Education
 In information technology the term end user is used
to distinguish the person for whom a hardware or
software product is designed.
 Our end-users are the first line of defense against
cyber security attacks (like phishing scams).

12. Mobile Security Threats
 Data Leakage
 Network Spoofing(Unsecured Wi-Fi)
 Social engineering
 Malicious Apps
 Improper Session Handling

13. Data Leakage
 These are typically free apps found in official app stores
that perform as advertised, but also send personal—and
potentially corporate—data to a remote server, where it is
mined by advertisers or even cybercriminals.
 Apps pose a real problem for mobile users, who give them
sweeping permissions, but don’t always check security.

16. Army blacklists 3 apps, warns troops against using WeChat, Smesh, Line

22. Network Spoofing
 Network spoofing is when hackers set up fake access
points (connections that look like Wi-Fi networks but
are actually traps) in high-traffic public locations such as
coffee shops, libraries and airports.
 cybercriminals give the access points common names,
like “Free Airport Wi-Fi” or “Coffeehouse,” which
encourage users to connect.
 attackers require users to create an “account” to access
these free services, complete with a password.
 many users employ the same email and password
combination for multiple services, allowing the hackers
to compromise their email, e-commerce, and other
secure information.

24. Social engineering
 Social engineering is the practice of obtaining
confidential information by manipulation of legitimate
users.
 A social engineer will commonly use the telephone or
Internet to trick a person into revealing sensitive
information or getting them to do something that is
against typical policies.

25. Thereare two types of Social Engineeringattacks
 Technical attacks
 Non-technical attacks.
“Technical attacks are those attacks that deceive the user into
believing that the application in use is truly providing them with
security which is not the factalways.”
Example:- Phishing
Common bait
Vishing
Spam mail
Popup Window
Interesting Software

26. Phishing
Phishing is the process of crafting
emails that appear to be from a
trusted source and typically invite
the recipient to either supply
confidential information or click on
amalicious link or attachment.

32. Fake Mail Online

35. Example

36. Common Bait
• “Sweet Deals”
– Free Stuff
– Limited Time
Offers
– PackageDelivery
• Help Me, Help
You!
– TechSupport

39. Vishing It is the practice of leveraging Voice over Internet
Protocol (VoIP) technology to trick private personal and
financial information from the public for the purpose of
financial reward. This term is a combination of "voice" and
phishing. Vishing exploits the public's trust in telephone
services.
 Spam Mails E-mails that offer friendships, diversion, gifts
and various free pictures and information take advantage of
the anonymity and camaraderie of the Internet to plant
malicious code.
 Popup Window The attacker's rogue program generates a
pop up window, saying that the application connectivity was
dropped due to network problems, and now the user needs to
reenter his id and password to continue with his session.
 Interesting Software In this case the victim is convinced to
download and install a very useful program or application
which might be 'window dressed' .

42. The non- technicalattacks
Non-technical approach are perpetrated purely through
deception; i.e. by taking advantage of the victim's human
behavior weaknesses.
 Pretexting / Impersonation
 Dumpster Diving
 Spying and Eavesdropping
 Acting as a Technical Expert
 Support Staff

43.  Pretexting / Impersonation: This is the act of creating
and using an invented scenario (the pretext) to persuade a
target to release information. It's more than a simple lie as
it most often involves some prior research or set up and
makes use of pieces of known information (e.g. date of
birth, mother's maiden name, billing address etc.) to
establish legitimacy in the mind.
 Dumpster Diving: If the junk mail contains personal
identification information, a 'dumpster diver' can use it in
carrying out an identity theft. A hacker can retrieve
confidential Information from the hard disk of a
computer as there are numerous ways to retrieve
information from disks, even if the user thinks the data
has been 'deleted' from the disk.

44.  Spying and Eavesdropping: A clever spy can determine
the id and password by observing a user typing it in (Shoulder
Surfing). All that needs to be done is to be there behind the
user and be able to see his fingers on the keyboard.
 Acting as a Technical Expert: This is the case where an
intruder pretends to be a support technician working on a
network problem requests the user to let him access the
workstation and 'fix' the problem.
 Support Staff: Here a hacker may pose as a member of a
facility support staff and do the trick. A man dressed like the
cleaning crew, walks into the work area, carrying cleaning
equipment. In the process of appearing to clean your desk
area, he can snoop around and get valuable information - such
as passwords, or a confidential file that you have forgotten to
lock up.

45. Malicious Apps
A malware attack is a type of cyber attack in
which malware or malicious software performs
activities on the victim's computer system,
usually without his/her knowledge.
Nowadays, people use words like malware,
spyware, and ransom ware a lot more than the
word "virus." ... Computer viruses operate via
similar means.

47. Improper session handling
Improper session handling occurs when
the session token is unintentionally shared with the
adversary during a subsequent transaction between the
mobile app and the backend servers.

51.  Install Some Security App on Your Device.
 Create Strong Passwords and unlock patterns.
 Important Apps like browser, Antivirus and payment wallet apps
should be updated regularly.
 Uninstall unnecessary Apps.
 Understand app permissions before accepting them.
 Do not connect unsecure wifi in public place.
 Avoid opening links of lotteries, prizes, gifts, discounts etc.
 Never give your full name or address to strangers.
 Wipe data on your old phone before you donate, resell or recycle it.
 Report stolen phones.
 Watch out for pirated apps.
 While logging in to any site, check the URL (the one in the address
bar), it should be exactly the same as the site you want to log in to .