Blog: Android

Top 10 ways to compromise your mobile security that you’d never believe

David Lodge 20 Aug 2014

Dave

I’m going to make an assumption here: Most, if not all people reading this have at least one social media account, so you’ll get to see the general crud being passed around by friends and colleagues.

Typically the buzzfeeds and distractifys of this world have loads of content that are lists of X numbers of things, with an animated gif (normally stolen from the Internet). Junk throwaway pieces with titles like “5 things you will never believe” or “These 10 things will change your life forever” and not much else.
…thus allowing them to churn out hundreds and hundreds of substance lacking articles a month.

I noticed one of these and for some reason decide to invest/waste time reading it. It was this one: http://news.distractify.com/dark/trivial-facts/24-travel-tips-that-will-change-your-life-forever/. Note the title, also note that the number of tips count varies randomly between the title and the content.

Number 12 is pretty interesting. If you don’t want to read it, it’s titled
Scan important documents before leaving for your trip.
And it’s accompanied by an image of Martin Reisch, who made headlines by using an image of his passport to get through US customs. Of course all the news images have partially redacted images of this guy’s passport; if you spend five minutes on a Google search you can see his full name, date of birth and signature, which is plenty to start an identity theft attack on the poor guy.

This really isn’t great advice, particularly if the tablet or smartphone isn’t well secured. Take copies of your sensitive documents by all means, but don’t store them on flaky devices: I have written many times about how easy it is to unlock or take information from a smartphone or tablet. I’m not the only one.

So, just to try and knock this home; here’s a list of 10 ways that I can get into your device, in the style of buzzify or distractfeed:

  1. Greasy finger smears
  2. ADB brute forcing
  3. Rubber Ducky brute forcing
  4. JTAG
  5. firmware upload mode
  6. Stick the phone in the freezer
  7. Sniffing the PIN from an app
  8. Abuse Siri to send emails
  9. Lock screen bypass to see your phone app data
  10. Bypass fingerprint sensor with a photo

…and here’s some bonus ones for good measure: