Security of the Present & Challenges for the Future (For Mobile Users)

Hi, Welcome again to my blog. This is my second blog-post ,but it is entirely on different topic from the last one.

It's on the topic of interest , which earns me bread & butter for last almost 6 years .

"If you can't explain it simply, you don't understand it well enough." --  Albert Einstein

As the Quote says, let me first clarify , that this posts is for anyone & everyone who understands basic English . You need not to know any Information Technology Terms to read & understand the below post. However the future linked post will be categorized for different people differently ,based on their knowledge on IT & I'd make the categorization clear at the start of the Posts .

We already know, the pace ,technology is expanding it's grasps/spaces in our daily life is un-matching. As an example , We see evolution of mobile technologies growing as fast as never before . And its not only in the telecommunication sector but the technology is expanding in every sectors of every industry & thus affecting our daily routine activities.

For example , 10 years back when we used to wake up in the morning, the first thing we used to do is to Brush our teeth , today we brush our eyes with the Good Morning texts over Whatsapp, Facebook ,Twitter & other social media and may be spend first 30 min of our morning using some forms of technology .

But with the growing technology, comes growing threats , security threats.

What happens if tomorrow morning when you place your eyes on your mobile screen , you see your Facebook id has been hacked & you can not login Or you see some of your private moments/images are no more private & people are enjoying/commenting by viewing it Or at the worse case your bank account has Zero Balance in it.

If you are thinking is it that easy ? Then let me answer YES IT IS ! And I am going to show you exactly how such attacks are done so easily in this & upcoming blog Posts .

The way , Mobile phone companies are giving attractive features & promoting entertainment factors to retain high sale , all people are tend to buy more phones now-a-days .

Some years back we used to have one phone running for at-least 2-3 years , but now we can't even keep a phone for a year running properly.

Even though the mobile companies says its a Smart-Phone , its not actually Smart-Phone until you use it Smartly to make it Smart enough to handle at-least basic security threats alongside the entertainment & basic phone needs . I exactly wants you to understand the importance & way of implementing basic security without even a very deep understanding of it .

I have been going through some feeds(News Source) for last couple of months on Cyber-Security Hacks & new Exploits and you'll be surprised to know , I get at-least a news of 15 attacks per day from just one or two source I rely into . Just assume how much in real cyberattacks are happening .

We'll try to see & understand a very basic attacks that are happening daily  & try to explore  the Motive in very brief for every attack and then we'll look forward on how to protect ourself , from these threats without wasting any extra Bucks/Money from your pocket.

So Lets not waste any time anymore & jump into the main content.

As a very normal/common non-technical person we use our mobile phone for below purpose usually.

1> Accessing Facebook to connect our near ones & dear but far ones & also of-course to create our image better online 😜😃
2> Using Twitter to see posts & twits from people , we follow , mainly Public Figures.
3> Accessing WhatsApp to Chat & sometime to share Love 😃
4> Checking our emails
5> To use GPS (Global Positioning System) for finding an address so that we can reach anywhere without asking people much about it(And in India it Sucks sometimes 😜😃 )
6> Mostly we're using for basic/Video calls & entertainment purpose such as watching & capturing Photos,Videos & Games  etc.
7> Some people are using mobile for Reminder of Events/Meetings .

Persons  who have a lit bit understanding of technical where-about , they are using some feature additionally as below .

8>   Online Shopping & Mobile Wallet such as Paytm/Airtel Bank/FreeCharge/Paypal etc.
9>   Use of Mobile-Banking & Internet Banking
10> And many are using to download Torrents

Of-course , there are many more use of Phones, now a days but above only depicts the most common scenario .

Now let me try to take each point from the above list & give you an example , how a threat & exploit is possible for every scenario .

Lets first concentrate on Using Social Media :

Who does not like to visit Social Media such as Facebook , Twitter etc.
And Study shows that Nearly 80 percent of social media time now spent on mobile devices . So you can understand why social media & your mobile are a most favorite destination for hackers to attack .

Now lets look at, what is a benefit a hacker will achieve by hacking a merely your social media account .

1> If an attacker somehow gets your social media access/credential , he/she can access many other websites using Social Login option . For example : If I open https://www.naukri.com/  , you'll see a social Login Buttons(As shown below) , which upon clicking , all an attacker needs to provide is your Facebook credential to login into Naukri Website. Similar way he/she can access many such Legal/Illegal portal & makes use of your account . And this may get you into some trouble .

2> If your account contains too much of your personal/private information, an attacker if gets access/credentials, can do blackmailing stuff & negotiates on monetary terms to not to leakage your private information . Would you mind spending 100/200 Bucks against your private information . No right ? Just think if an attacker can get access to some thousand address only, he can earn in Millions.

3> Because as a human nature , we like to keep same/similar passwords/credentials for different website , there is high chance that with leakage of any of your portal's password , an attacker can get access to the others including your Bank account through Net-Banking.

4> Do you know social media credentials are used for sale to advertisers & other companies who are associated with Black Market activities in Cyber World. Here below is a proof of such activities. So an attacker may not do anything illegal with your account but just may sell your account details to some more Evil companies , who may use it for malicious purposes. And you wouldn't know simply that your accounts are being used by others .

http://www.hindustantimes.com/social-media/360-million-stolen-credentials-for-sale-on-cyber-black-market-uncovered/story-SYLtM1rfXsHuWXvNCaup8M.html 

There are many many possibilities of action with Social media, apart from the brief above .

Now , lets look at how an attacker can easily get your Social Login or for that matter any of your website passwords .
Because Social Media provides a hacker an ultimate attack surface, to get people's personal information & interests and by using a Social Engineering technique , a hacker can get your password revealed so easily that you wouldn't believe .

Let me take few example,
A> how many of you are using your password amongst below samples .

1> password , 2> P@ssw0rd , 3> password123 , 4> Password@123 , 5> password1234 , 6><your mobile number> , 7> 12345678 , 8> 987654321 , 9> yourname@123 ,
10> <your home town> 11> google 12> < your date of birth > 13> <Your Life Partner's Name@2017> 14> Ilove<your lover's name> 15> Password@2017 16> <youremailid>

B>  How many of you are using a similar password for multiple websites .
C>  How many of you are saving your social Login passwords into your Mobile browser, when accessing through your mobile ?
D> How many of you are downloading content through uTorrent through your mobile ?
E> How many of you are downloading content such as Music,Videos from website with loads of Advertisements ?

Though there are many other tools/ways Hacker can use such as ,Dictionary Attack (Where attacker uses tools to identify passwords using a set of keywords found & used commonly in Dictionaries) , Brute-Force Attack (Where Hacker uses tools which will try out any combination of letters to crack your password) , but before trying that out they will simply try manually a few passwords as I've given above as an example based on your interest & information available in the social media.

If you're saving your passwords in the browser , BE CAREFUL ! because it just takes one simple script to be executed at your browser through a false pop-up show(Like Below , once you click Ok,you're likely to be gone ) to hack all your passwords saved in browser memory .



Remember on Internet Free are not actually FREE ! so downloading torrent at many times downloads hidden apps to your mobile & gets installed automatically without your knowledge & permission.

Sites with full of Advertisements , are more dangerous than downloading content from Torrent . As it may push different malicious program through a type of program called Adware .

An attacker may use Whatsapp or other messenger to send out videos/photos/PDFs of which you like but is associated with Malicious program attached to it and once you click to view , the malicious content gets downloaded and resides in your phone memory and it may starting affect immediately or at later time or at times the effectiveness of this programs are not visible at all , and it depends on the choice of attack by the attacker.

If an attacker wants to attack a specific target such as Govt Institution Or some specific companies , they obviously don't want their anonymity to be broken , hence instead of directly attacking from their own system , they may alternatively use your mobile/gadgets as a source of the attack . And the malicious programs helps them to achieve so. And definitely if that is the intent , then they would not program the malicious content to be affecting anyway at your visibility Right ?

Let's Now talk about Emails :

In today's life , email is becoming the third most necessary thing to Live , after Oxygen & water . Isn't it ?

But as always like we don't care about scarcity of Water & Oxygen , we're also less protective about our emails .

Because Emails are used for everything including your banking , any attacker if gets access to your email somehow , they can unlock most of the important secret of yours online. As most of the website offers Links such as "Forget Password /Change Password" which upon clicking sends an email to verify if it is you . So if an attacker gets access to your email , they can literately unblock everything.

Like Social Login  , hacked Email id & passwords are for sale more prices than social login credentials in the Black World .

I'd better leave it up-to you to think, how & what all impact it can do , if someone gets access to your official email ids. Including it may end up loosing your Jobs.

Let's Talk about GPS :

GPS is a stalker's best friend. A stalker can easily track your whereabouts using photos / videos you post on social media every day. Any attacker and/or any organisation including your govt can even track your location every now & then using your mobile phone's GPS system .

Of course you don't want that . Before showing how you can protect against it let me show you how easy it is.

Below is a capture of preview of this blog using my Android mobile And the second image shows the exact Latitude & Longitude even the Altitude (from the height I've taken this picture) . And if the second image does not make sense to you , look at the third image , where I've uploaded this picture at http://www.geoimgr.com/  and it shows exactly from where the photo have been captured. If I could have scrolled more on the Map , it'd have shown my house location , which of course I don't want , so I've shown you the pointer from a little bit high in the Map.

Original Image(I've Removed the GPS info now)

GPS Info showing in the Original Image

GPS Location Showing in the Map

There has been many reports of Kidnapping Girls/Womens even children across the worlds , and investigation shows that the GPS tracking like above has been used by the stalker to get their position everyday to plan properly when kidnapping them.  Isn't is scary ?

Even your Reminders & Meeting information set in your mobile is an useful information to an attacker though for you it might be not that important to make it secure .

Now lets talk about most important utility of mobiles these days , which are

Use of Mobile as Digital Wallet/Mobile-banking/Online Shopping 

The most attractive area for an hacker/attacker in your mobile is to target these apps . We'll talk later in my upcoming blog posts, about how an Mobile App works & why we get so many updates notification from App Store. But for now lets understand a very basic things that these apps if you don't protect it properly and gets into hand of others by directly accessing your phone or through some malicious programs , may make you BANKRUPT in just minutes.

Money is just an number , an account system , it's not the piece of paper you use as you may think it as money(You may already realized this by the Demonetization move by Indian Govt 😆😜) , as an ordinary person  . Until the number is with you its yours & once the number gets deducted from you & added to some others , its their's .

So if you're using banking system in your mobile , make sure your phone is secured more than enough .

Let me stop talking more about the threats anymore , though there are may be endless threats to discuss . You may already be so much afraid , you may just throw your mobile away and don't want to use it anymore . But it's an essential thing in our daily life which you can't ignore .

Just because there are some accidents in the roads , you can not stay in your home always right?
So Similarly just because there are Risks/Threats , you can not just throw away Mobile/technology as they are also blessings in our life .

So we should take some preventative action , which will reduce the Risks of these threats exponentially . Let's discuss on that in the next section .

Off all the threats we discussed , if you analyse most of these are reasoned by the Password we use or set . So we need to Either secure our password & use strongest possible Or we need an alternative of password systems Or Both . Though its an old approach but till today password is considered one of the  strongest mechanism of security if a proper password mechanism are followed.

Today , we've got fingerprint authentication available in our mobile which is of-course more secure than password but we can not rely totally into it as it also has some drawbacks which are being worked on and fixed . Until it is available to be used by all Apps we use & its issues are all fixed we'll continue to use password .

So how or what should you set password to make it stronger .
1> 1st Rule, is not to use any Dictionary words as our password .
2> Your password should not be less than 8-10 characters and must include 1/2 upper case letters, 1/2 numbers & 1/2 special characters for any system .
For example : Even if I use a password based on dictionary words such as "iloveindia" , I can use it like  "Il0ve!nD!a" . If you now see , I have written the exact password but I've replaced first 'i' with ' I ' and  all remaining 'i' with '!' (Exclamation) . Also I replaced 'o' with '0' (number) . And with this simple idea , my password is now stronger to hack into .

Another idea is which is considered as best practice is to think of a sentence for eg ." I would like to visit India at 2017" and now take first letter from each of the word and it becomes "IwltvI@2017". All you need to remember is the sentence in your mind not the password and it becomes one of the strongest password ever to crack  but easy to remember .

The above are just a few ideas of making your password stronger , but these ideas are not limited to one or two. You can make a new idea always to make you password stronger.

3> Rule 3 is not to use same password for all your useful portal .
4> Rule 4 , is to avoid saving your password in your browsers for the important portal such as Netbanking or Social media websites.

Let's now talk about Email & Banking System . I think you'd agree both the Email & Banking System are more important in our daily life than the Social media . So even Bankers & Email service providers are always thinking of new ideas to make sure there system is more secured & user can use it efficiently but simply.
There comes an Idea of MultiFactor Authentication , which in simple words are mix of 2-3 things.

a> What you know (i.e. Password)
b> What you have (biometric Card or Passport or ATM Card or Phone number etc)
c> What you are (Fingerprint or Retina scan or Face detection etc)

If I take example of GMAIL simply, Gmail has a 2 step authentication option . To enable

1> Go to your Gmail and from the Right Top Corner Select MY ACCOUNT

2> Go to Sign-in & Security

3> Enable the 2 Step verification

(Follow the steps provided by Google)

This will ensure , whenever you're trying to login from a new browser or mobile or Desktop , a Pin will be sent to your mobile , and only upon providing that Pin , Gmail will allow you to login.

So it somehow reduces the risk that even if your password is hacked . The attacker will not be able to access your email account.

Now lets look at a very few basic DO's and Don'ts which will make your mobile more secure. It's just so simple things which we either not aware or too reluctant to use.

First being , avoid use torrent in your mobile , as most of the files we download from torrents are wrapped up with malicious content or programs. I'll show you exactly how it is done using a very simple utilities in my upcoming posts. (Subscribe to my blog Using the button Shown in the top Bar to receive all the updates in this blog.)

Second avoid downloading files from website full of adware. Any legitimate website/blogs may maximum has limitation of using 3-4 advertisement at maximum.

If you suspect any website to be fraudulent by looks of it even if you don't know much technical, trust in yourself , it is then fraud site .

Always download apps from Valid app store such as Google Play Store or Apple Store for IOS etc. Because the apps when posted there by any developer , the code of the apps are usually reviewed by Google/Apple Developers & Code Analytics to ensure it don't have any malicious purpose or content.


Even after following above steps , some harmful apps may

get into mobile .So we need to make sure those apps doesn't get installed by itself. And Android provides you an option to ensure that.DON'T enable the Option called "Unknown Sources" in your android Settings under security option. This will ensure that even if an malicious apps gets downloaded into your phone , it'll not be able to install itself because Android will not allow due to this configuration .

Always make the USB Debugging disabled , unless it's absolutely required. If you're using USB Tethering feature in your phone to share internet over USB Cable , you may need it. But make sure after your sharing activity is done. This option is disabled . Because this is another way any malicious code can be executed when you attach your phone with any unsafe/unknown Desktop/laptop and even Malicious charging point in public places as well. Not all charging station are safe. so you need to take extra precautions.














Always Make sure your device is up to dated.

From the About Phone Section you can always update your phone software ,whenever an update is available. And always try to update your phone using OTA(Over the Air) updates . That is considered more secure than downloading the update in your desktop/laptop and then connecting your phone to your PC to update.


















Always try to use atleast one Antivirus & AntiMalware solution.

There are quite a few, free but useful antivirus Apps available on App Store (Both Google & Apple Store) . With premium services though the features are more . But free versions are also good to prevent from basic security threats. I am not promoting any particular Antivirus here , but I interchangeably use a few like McAfee Security, Privacy Guard , Lookout (Good at scanning the apps during installation) etc . And I always try different such software (Latest I was trying out JioSecurity provided by Reliance JIO as well) . When I am not saying you to use multiple , but certainly atleast keeping one would ensure some safety . You may use any antivirus/antimalware solution out of your own wish. Also make sure you provide Device administrator access to atleast any one of your antivirus app so that it can scan your System memories & System Apps as well.

This apps will help finding malicious content comes with Images/Videos from download/Torrents & whatsApp groups and always helpful to keep your phone safe.


Your App Permissions are also important .

Lets say you are downloading a Camera Application with multi effect camera and during installation if it asks permission for reading your contacts, click Deny/Don't Allow option . You should only give permission to the apps according the merit of the applications. Because in this example , you can think what a Camera will do with your contacts ? It's as simple as that.

There is also a VPN option available under More Settings in Android. VPN helps you to access websites anonymously as well as it ensures that even if someone is stealing information exchange in between your mobile & the target application/server , the information will be unreadable and thus safeguarding your mobile communications. But at this moment if you are not aware of VPN , better not use this feature as sometime Hackers use malicious VPN to steal information as well. I'll have a separate blog/session in my upcoming post on how a VPN works & how you can use a legitimate VPN. Subscribe to get updates on that.













Few latest Android phones provide a very secure option under settings called "Secure Zone Management ".

The concept is you can keep important application such as
financial or Privately used apps in a secure zone and Under normal operation , this apps & zones will not be visible . When you need to access those apps , you need enable the Secure Zone through some passwords/patterns and you can use that. The good thing is the data for those application resides separately in phone memory & in more secure manner. But the zone will work a little bit slow than the normal zone apps.

















Shoulder surfing , is a common technique in which attacker looks at your mobile around/over your shoulder , when you're entering your password/pin/pattern . Hence it is always advisable to not to use pattern matching to unlock apps/phones , as we can only use one hand & one finger when using patterns and its easy to see & remember as well. You should always try to use a password to lock your phone as you can use both hands & multiple fingers while giving password to unlock your phone and it is difficult to follow the sequence if you use multiple fingers to type your passwords.

Another major concern for us is, our phone gets easily stolen & we can easily loose our phone and that is major Risks of all the Above. So you should install some software to track your phone in case of lost . And because it is not possible to track & get back your phone in most scenario , so you should at-least use two feature that even if your phone is lost , your data is not lost as well as it is secure. To make sure your data is not lost , use the Backup & Restore settings provided by your phone. And to Ensure your data is safe and can not be used by anyone else, use Device Encryption feature in your mobile phone. It may slow down your phone little bit , but it'll make sure if some attacker gets your stolen/lost phone , he can not make use or view the data in your phone .At maximum he can use your mobile but for that he needs to wipe out all data including phone memories.

                                                                                                              Now lets talk about how to use the GPS ideally to make use of it in better way and to safeguard yourself from                                                                                                                  the threats.

As mentioned of the threats of stalking , please make sure the Location or Geo Tagging option is disabled by default within camera settings , until you yourself want to capture a photo with that option On. Once you capture the intended geo tagged photo, make sure you disabled the option again. Also don't make your GPS always On ,only use it when required.



When you're using your mobile for Online Shopping or for Mobile Banking or for Internet Banking , you should use better use their authorized app from playstore rather than opening the website using browser as any attacker can craft any URL to be exactly same in the look of the URL you're trying to visit to & steals credential & other important information .
Also you need to visit legitimate & trusted websites of Shopping providers & Banks to get proper URL of their apps , as an attacker may post closely name apps in the Google Play or Apple IOS store which you'll download by mistakes when searching apps in the Play store and you may become victims for them.

If you visit any website with Pornographic contents, you're likely to get advertisement pop-ups usually. You must take precautions to not to hit any such advertisement links and if possible if such pop-up is getting loaded , immediately swipe that off like you swipe of applications from the memory using multi-task button .

You know there are almost 80% of people, who are even in IT including me , who does not always implement this basic securities out of reluctance . With this post , I'd implement these things & I hope you do so as well.

So always browse safely (Use Mozilla /Tor Browsers) if possible , visit legitimate & Secured websites .

Now the next question comes, how do we know if an website is Secured &  it is the actual website which we are intending to access to ? For this , wait for my next blog post, where we'd dive  into a little bit more technical insights to understand security And I hope it'll be a lot more fun to learn 😄 . Please hit the subscribe button as indicated Above , provide your email address to get each & every update from this blog. Also encourage me to write & post more to give you more information by subscribing to my youtube channel as below:
https://www.youtube.com/channel/UCCic8ix-BgwAb48Fjyc7A9w

Until next time , Browse Safe , Stay Safe & Enjoy learning . If however you've any question , drop a comment below. I'd try to answer with all my existing knowledge & experience.

Thank you again for the Visit.

Hope to see you on the Next post.

With Best Regards,

Avijit