Introduction
The technological landscape has been changing fast, increasing the need for mobile devices and associated applications. Mobile apps constitute a larger mobile environment that includes mobile devices, internet infrastructure, data centers, and file servers. This creates a complicated assault surface. With the expanded utilization of mobile devices with improved features such as sensors, location-based services (GPS), and near-field telecommunication, the threat landscape has grown even more (Bui et al., 2021). Institutions have started engaging in mobile application pen testing in response to the growing complexity of cyber-attacks and the significant rewards offered for mobile app defects.
Consistency Evaluation of Data-Usage Reasons in Mobile Apps
While privacy rules and regulations oblige applications and services to declare the reasons for their data collecting to users, data utilization in an app’s real operation does not always match the privacy policy’s primary objectives. The discrepancies pave the way for cyber-attacks that may be directed at mobile devices’ applications, software, or data. The authors offer PurPliance, an end-to-end autonomous system that detects anomalies between the data-usage intents declared in a privacy statement and the actual processing behavior of a mobile device app. Their main goal is to address unforeseen data collection by mobile apps.
Anomalous data usage by an app should raise an alarm because the application could be used to spy on the phone. Depending on a semantic argumentation evaluation and a classification of data-usage purposes, the system evaluates objective terms and conditions in privacy policy statements. Privacy rules and data transfer are then mined for data-usage objectives. Finally, the system employs a formal model to discover conflicts between privacy policies and data flows. PurPliance raises the F1 score of inconsistency recognition by 52% when contrasted to a state-of-the-art methodology (Bui et al., 2021). The system has improved detection precision from 19 percent to 95 percent and recall from 10 percent to 50 percent compared to a state-of-the-art method in end-to-end disagreement detection (Bui et al., 2021). In addition, the presented system detects contradictions in 18.14 percent of confidentiality and flow-to-policy discrepancies in 69.66 percent of apps, according to Bui et al. (2021). This data demonstrates significant discrepancies between the privacy user policies and actual mobile operation.
Mobile Sensors
Users’ interactions with current cell phones have been revolutionized by mobile sensors, which have improved their entire experience. However, the lack of adequate access control for monitoring these sensors opens the door to a slew of risks. Rogue apps and websites can exploit sensor data to launch a variety of attacks (Diamantaris et al., 2021). Although people tend to concentrate on direct sensor data, ads have been evaluated as one of the ways rough which attacks can be launched through a mobile device’s sensors.
The authors provide a unique attack vector that takes advantage of the advertising ecosystem to perform powerful and stealthy mobile sensor-based attacks. Because of the incorrect network access of sensor information in WebView, these attacks do not require any additional app permissions or unique user activities, and they target all Mobile applications that feature in-app advertising (Diamantaris et al., 2021). In two different attack types, intra-app and inter-app data exfiltration, motion sensor data may be leveraged to infer users’ confidential touch input, such as credit card credentials. While the former impacts only the app that delivers the ad, the other influences all Android apps on the device.
Furthermore, the authors discovered severe defects in Android’s app segmentation, life cycle monitoring, and access control systems. They were found to allow for continuous intrusions even after the ad-serving app is transferred to the background or the user terminates it. In addition, because in-app advertising can rely on privileges designed for the app’s essential operation, they can access data from protected sensors like the camera, microphone, and GPS (Diamantaris et al., 2021). The authors undertake a large-scale, end-to-end, parametric study of adverts seen in apps available on the official Android Play Store to provide a complete assessment of this developing threat. Their research shows that advertisements in public are already obtaining and leaking motion sensor data, underscoring the necessity for more stringent access control measures and isolation techniques.
Source-Tracking Technique for Encrypted Messaging
While popular messaging methods like Whatsapp, Facebook, and Messenger provide end-to-end encryption for users, the same qualities also make it difficult for messaging applications to implement any level of content moderation. Poor content control can contribute to the unfettered spread of inappropriate content on such networks, such as misinformation (Peale et al., 2021). Over the years, researchers have tried various tracking methods to identify the source of messages in an attempt to unravel fraudulent messages. The authors referred to an earlier study that used message tracking to identify the path of a forwarded message. In many cases, a forwarded message does not reveal the source of information, a significant fact leading to the spread of malicious information. Although the earlier technique was successful, its privacy guarantee and storage requirement for the platform needed improvement. Leveraging past successes and current needs, the authors developed an improved system for source tracking.
The presented system has two main contributions: privacy protection and accountability. According to Peale et al. (2021), source-tracking allows messaging systems to provide the privacy protections that come with typical end-to-end encryption. This is an important feature because almost all messaging companies have implemented end-to-end encryption systems. In addition, the source-tracking method allows users to hold fraudulent message sources accountable. This method relies on an effective source-tracking technique where the original sender can be easily identified when malicious content is reported along the chain. This introduces accountability, limiting the chances of threat penetration through forwarded messages.
Examining Mobile Ad Fraud via Invalid Traffic
As Real-time Bidding (RTB) gains popularity in programmatic advertising, invalid traffic from click farms has become a significant threat to online advertisement. It relies on a large number of real smartphones to conduct big-scale ad fraud schemes. The authors based their research on click farms to analyze the impact of fraud through invalid traffic through several techniques. In this paper, the researchers take the first step in detecting and measuring click farm-based invalid traffic on a wide scale (Sun et al., 2021). Their research begins with an assessment of the device’s characteristics using a real-world categorized dataset, which provides a set of characteristics that identify fraudulent gadgets from benign ones.
They develop EvilHunter, a method for identifying malicious devices via ad bid request records, with an emphasis on grouping fraudulent devices, based on these criteria. The proposed system works through various techniques to identify and categorize fraudulent gadgets. First, the researchers employ a classifier to differentiate between fraudulent and benign devices. Second, devices are grouped relying on app usage patterns, and, lastly, re-label devices are in groups using the majority vote. On a real-world-labeled dataset, EvilHunter achieves 97 percent precision and 95 percent recall (Sun et al., 2021). The proposed method leads to the discovery of many cheating tactics used by fraudulent clusters by studying a super click farm.
Security Guarantees for Decentralized Group Communication
Secure group messaging technologies that provide end-to-end encryption for team communication must deal with three main challenges. First, they should address the issue of mobile devices going offline often. Second, they should consider the frequency of group members being enrolled and withdrawn, and lastly, handle the danger of device breaches during long-term chat sessions. Existing research focuses on a core network architecture in which all communication is routed through a central server trusted to maintain a constant total order on group state modifications (Weidner et al., 2021). The authors adopt homogeneous network communication for distributed networks with no central authority in this study, defining distributed continuous group key agreement (DCGKA), modern cryptography primitive that encompasses a decentralized, secure group communication protocol (Weidner et al., 2021). This approach achieves forward confidentiality and post-compromise privacy in the event of gadget compromise.
Conclusion
In conclusion, mobile technology has become increasingly essential for communication, exposing it to a myriad of threats through cyber-attacks. Mobile devices, software, and data stored in the gadgets provide a basis for evaluating the routes followed by hackers in launching attacks on mobile devices. The researchers discussed herein have explored data use reasons, sensors, mobile adverts, and group messaging to reveal the need and methods of penetration testing for improved mobile security.
References
Bui, D., Yao, Y., Shin, K., Choi, J., & Shin, J. (2021). Consistency analysis of data-usage purposes in mobile apps.Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Web.
Diamantaris, M., Moustakas, S., Sun, L., Ioannidis, S., & Polakis, J. (2021). This sneaky piggy went to the android ad market: Misusing mobile sensors for stealthy data exfiltration.Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Web.
Peale, C., Eskandarian, S., & Boneh, D. (2021). Secure complaint-enabled source-tracking for encrypted messaging.Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Web.
Sun, S., Yu, L., Zhang, X., Xue, M., Zhou, R., & Zhu, H., Hao, S., and Lin, X. (2021). Understanding and detecting mobile ad fraud through the lens of invalid traffic. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Web.
Weidner, M., Kleppmann, M., Hugenroth, D., & Beresford, A. R. (2021). Key agreement for decentralized secure group messaging with strong security guarantees.Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Web.