“The risk can be significantly reduced” – interview with Mateusz Bilinski

Is it safe to use applications on phones? How to protect your sensitive data and not to be spied on? Mateusz Bilinski, a mobile technology enthusiast since Zaurus SL-5500, and Head of Mobile Security at Niebezpiecznik with experience as a researcher, trainer and pentester, knows the answers to these questions.

One of the first holders of CompTIA iOS Mobile App Security+ certification and one of the speakers Infoshare, the largest event from the world of business, innovation and technology in Poland.

Interia: Every year more and more people use mobile apps to pay or manage sensitive data. Developers of the applications keep coming up with new patents that are supposed to make our lives easier. But what about the security of such solutions? Should we blindly trust that our data is properly protected? What can we risk when using mobile apps?

Mateusz Bilinski: Nowadays, if someone wants to use the most popular applications and technologies, very often they have no other choice and have to trust the developers with their data. Even if the application declares a certain behavior, sometimes errors may appear in it, leading to the data being taken outside safe areas.

The good news is that the average security level of popular mobile applications, such as banking or messaging apps, is steadily increasing. Something that was a popular bug a few years ago is now practically unheard of in high-end apps.

On the other hand in the Google Play store appear more applications which, for example, abuse permissions in the user’s system. Such applications are very often visible only for a few days, they disappear, only to reappear with a different title and changed icon.

For a user of mobile applications, the worst, real scenario is installing an application that was supposed to perform a specific function (e.g. cryptocurrency wallet or messenger), but in fact is malware. Sometimes such apps, instead of directly stealing the data they have access to, focus on impersonating other apps, such as a banking app that the user regularly uses.

Users of Apple devices are much less vulnerable to leaks by installing any application from AppStore, among others due to an extensive application verification process. However, it is important to remember that there have been examples in the history of AppStore when potentially malicious applications appeared in the store.

Therefore, regardless of the system, user vigilance is recommended when installing applications.

Interia: How can we be sure that the application we download is safe? How to recognize a safe application?

Mateusz Biliński: Unfortunately, it should be assumed that we will never actually get such certainty. However, you can significantly reduce the risk by following a few simple rules.

Users have two fundamental solutions at their disposal here. Firstly, it is important to use security mechanisms provided by phone manufacturers and their infrastructure.

In the case of Android phones, such an element is the use of Google Play Protect, which is enabled by default on modern phones. Play Protect primarily scans apps for anomalies, which are very often associated with malware.

Secondly, a source of information about the quality and security of applications are very often user reviews in the Google Play store, which developers can not so easily remove. Additionally, it is worthwhile when installing brand new apps to look for information about their security on the web. For more popular applications, there is a chance that you will find some report that will shed more light on the performance of the application.

Here you should remember about one more element: mobile applications change very often. There are apps that release new versions practically every day. Although there are sometimes some risks associated with this, by default it is worth updating what you have installed regularly.

Interia: Are there technologies used in mobile apps that we should be wary of?

Mateusz Biliński: There are practically no mobile technologies that are dangerous in themselves. What really matters is how they are used. The level of security in this area must be considered in the context of a specific application and a specific device.

It is worth noting that the closer an application is to the operating system and is provided by its manufacturer, the greater the chance that the data within within those applications will be more secure. This is because manufacturers have more control over how their apps will work within the system, and therefore have more options for securing data, such as through the use of hardware components. However, it should be openly warned that such security features have historically been incorrectly implemented or contained vulnerabilities, despite being created by device manufacturers.

Interia: The threat of a hacking attack does not only concern large enterprises. More and more often we hear about attempts to steal data from private individuals or small companies. Why is this happening? Do we actually have anything to fear?

Mateusz Bilinski: One reason for the increased popularity of attacks is simply more people actively using the network and the services available on it, such as financial services. As a result, attackers, especially those using humans as a weak link, are casting their net wider hoping for better results.

Not without significance is also the ease of access to tools supporting such attacks and the relatively low cost of carrying them out.

It should be noted here, that social engineering attacks are mainly very dangerous and effective, if someone conducts a reconnaissance on a potential victim beforehand. One such source could be databases leaked from other systems where the user was registered. Therefore, the basis of online existence should be the use of different passwords, in different services, and changing them regularly.

Above all, users should avoid behaviors that increase the likelihood of becoming a victim. There are many such elements, but one of the key ones is to verify that you are on the right (and not a fake) website before entering any sensitive or confidential data, e.g. a password to a banking service.

On the niebezpiecznik.pl we publish additional information, which helps users to effectively protect and configure their devices or systems. We also run a training course “How not to get hacked”, in which, in a condensed form, we provide information and advice which, in our opinion, every Internet user should know (and use!), both privately and professionally.

Interia: Is there any way we, as users, can take care of our safety when using different apps?

Mateusz Bilinski: First of all, typical users should never install apps from outside trusted sources. On Android such an operation is available on every device, in case of iOS such a scheme is less popular, but still possible. It is very difficult then for users to assess whether an application may be malicious or not.

In addition, for already installed on both Android and iOS, you can decide what permissions are assigned to applications. Therefore, it is worth regularly auditing the permissions granted to apps and deciding whether you really want specific items to have access to, for example, the microphone or location.

Interia: What if the phone is lost or stolen from us? How to protect data and what steps should be taken in such a situation?

Mateusz Bilinski: First of all, it is worth preparing for such a situation in advance and practicing the whole scenario at home, checking if everything works correctly. The foundation is to use a phone lock, where the password is long enough and possibly an effective biometric mechanism. Here, unfortunately, the security of such solutions depends on the specific device.

In addition to the screen lock, such an element that can help us in case of theft is to activate services such as Find My Phone. Both Google and Apple provide access to such a service within their operating systems. Thanks to this, in case of loss or theft there is a chance to remotely access the device: determine its location, delete data, activate sound or take a picture.

Interia: Recently, solutions based on artificial intelligence have become increasingly popular. What are the risks associated with this?

Mateusz Bilinski: Modern machine learning methods are a tangible example of dual-use technology. On the one hand, they can be used, for example, to generate fake video statements by politicians; on the other, research is being conducted into the effective detection of such material.

Currently, the most popular applications of artificial intelligence appear in the form of automation of tasks that take only a few seconds for a human: image recognition, sound recognition, text recognition. The biggest danger that arises here is that such systems can be fooled if they are not properly prepared for unprecedented data. For example, a photo in which a person clearly recognizes a child could be classified as a firearm if there is appropriately crafted noise within the image.

In fact, the biggest threat is related to misclassification results: how people will interpret the results. It is important here to be aware that despite the significant effectiveness of modern technology, in some applications, errors are possible, which result, for example, from poorly selected data sets. Therefore, those making decisions based on such results should be vigilant, especially in the early stages of systems.

There is currently a huge technological leap taking place in practical large-scale applications of machine learning. Something that was not possible a few months ago is today within the reach of not only researchers, but also enthusiasts and practitioners. This is especially true for natural language processing, where generating texts whose syntax and content very effectively give the impression of being written by a human. The existence of such technologies should increase our vigilance in processing the information that reaches us and forming opinions based on it.

Interia: Do you have any advice for regular users about safety when using mobile devices?

Mateusz Bilinski: I think there are three elements that a user should take care of and will provide them with the basics of mobile security.

First, and this is the most important point, regular updates to the operating system are important. In the case of Android, we should get such updates at least once a month. Apple updates its devices when it sees fit, usually more than once a month, as soon as bugs are patched.

Unfortunately, the problem here is long-term support from the manufacturer. While in the case of Apple such updates can be received even after 5 years from the premiere of the device, in the case of phones with Android such maximum is very often 2 years. Unfortunately, after such a time, if we do not get any more updates, the only solution, especially for a non-technical user, is to change the device for a new one.

The second element that is worth taking care of is to regularly check whether we really need the applications that are installed on our device. If it turns out that we do not use them, we should remove them. Applications that are unnecessarily installed on a device may pose an additional source of danger, e.g. if it turns out that such an application contains a vulnerability. It is worth to strive for the state, which I call the Minimum Application Set.

The last solution, which should be applied regularly, is disabling additional interfaces that are not used. It is about WiFi, Bluetooth, NFC. In the past, it happened that implementations of these protocols contained serious bugs and it was enough to have such an interface enabled for someone to take remote control over the device. Even if such a serious vulnerability does not exist at the moment, radio interfaces can be used in other ways, for example, to track the user.

Like this post? Please share to your friends:
Mobile Pedia