According to a survey conducted by FGV (a Brazilian institution) in 2019, today there are 235 million smartphones in Brazil. And if we count digital devices, in general, we reach the number of 420 million. The penetration power of mobile devices in people’s lives is unquestionable. But how is the mobile security scenario in 2020?
Nowadays Smartphones represent 56% of Brazilians’ mobile devices.
Unfortunately there are still few data related to mobile Application Security in Brazil.
However, we can take as a base some researches carried through in other markets, that can very well point a similar way of what happens in Brazil.
What data do tell us
In a research made by Pradeo, we can see that the largest vector of attacks in 2019, and which remains in 2020, are software used in mobile devices.
In an even more troubling scenario, about 10% of devices contaminated by malware applications were identified in a sample of 50,000 Android devices.
Here we can imagine that the user’s behaviour in relation to the safety of the devices is totally non-existent.
In contrast to this perception of lack of care on the part of the user, we are certain of the amount of sensitive and personal data that are and have been stored on our mobile devices.
It is clear from this data that Android devices are much more affected than iOS devices. This does not directly mean that the Android operating system is more vulnerable, and here we have a lot of data to analyze, ranging from user purchasing power to the nominal amount of devices with one system or another.
Similar situation we find when we are going to talk about security issues on Windows or Linux systems.
The issue of operating systems is quite complex to be analyzed, because it involves a lot of other scenarios. And to represent that, we can show that the amount of iOS users running outdated systems is much larger than Android systems.
These data are shown in another survey, now done by the company Wandera. But once, it does not show that one system is safer than the other, here it is more likely that this is a behavior of both the user and the manufacturer, which stops providing updates to older models.
When we think about the motivations for attacks on mobile applications, perhaps this next graph can help us understand what attackers are looking for. It seems to us that the objective of the mobile attack is not very different from attacks on web applications, where the vast majority of the objective is data.
As we commented, the fact that attacks and system exploits of mobile have increased can also be related to a change in user behavior, which often to use a certain type of application needs to compromise your own device.
Some recommendations
Research indicates that the vast majority of attacks that have been successfully carried out have had their doors open in Phishing attacks, which demonstrates that user behavior is being heavily exploited in attacks.
This leads us to understand that a possible way to reduce the amount of attacks is the continuous and increasing orientation of users.
However, as producers of mobile applications, we cannot fail to follow some guidelines that will help to keep this type of behavior more under control.
A more structured development designed to bring security to the entire development pipeline can be a strong ally in reducing vulnerabilities in the final product.
We have already put in our blog some articles that can be read about Secure Development Process, I suggest you read them.
Another point that should be used by application producers is data encryption.
Data encryption should be thought of as a strong barrier between the data and its attackers. And as such, it should be used wherever possible.
Maintaining data and traversing encrypted data can be one of the great advantages of your application.
Another point to note is the growing threat of attacks using UNICODE to make domain validation difficult. The use of Punycode attacks should be one of the factors we should be aware of.
As we can see, it is simple to implement fake domains that will be correctly analyzed by applications that are not prepared to validate your domain correctly.
Here we don’t intend to create a list of actions to be performed, but only to alert to attack models that are always present and that increase with the user’s carelessness and with the weak development practices used by companies.
A good suggestion of reading and study can be the OWASP documents on security controls for mobile applications. They bring a number of opportunities for improvements and advances in the development of more secure mobile applications.
We hope to have contributed a little more information on this topic that is so present in our daily lives and that we need to look more closely.
