Mobile Device Vulnerabilities

Telecom-Level Attacks

SS7 (Signaling System 7) Vulnerabilities

SS7 is the protocol used by telecom networks to route calls and SMS — designed in the 1970s with no authentication.

What an attacker with SS7 access can do:
- Intercept SMS messages (bypass SMS-based 2FA)
- Track device location in real-time
- Redirect calls and voicemail
- Identify subscriber info from phone number

Who can exploit:
- Nation-state actors
- Criminal groups with telecom access
- Rogue telecom operators

Why it persists:
- Legacy infrastructure — can't easily replace globally
- Fixes require carrier cooperation worldwide

Mitigation (for users):
- Don't rely on SMS for MFA — use authenticator app or hardware key
- Use end-to-end encrypted messaging (Signal)

SIM Hijacking (SIM Swapping)

Attacker convinces carrier to transfer victim’s phone number to attacker’s SIM.

Attack process:
1. Attacker gathers personal info (OSINT, phishing, data breaches)
2. Calls carrier impersonating victim
3. Passes identity verification (last 4 of SSN, address, account PIN)
4. Number ported to attacker's SIM
5. Attacker receives all SMS / calls — bypasses SMS 2FA

High-profile victims: Crypto exchange accounts, CEOs, celebrities

Defenses:
- Set a carrier-specific SIM lock / account PIN (not guessable)
- Switch to app-based or hardware MFA
- Use number lock/porting protection offered by carrier

App-Level Vulnerabilities

Sideloading

Installing apps from outside the official app store.

Risks:
- No security review process
- Apps may contain malware, spyware, RATs
- Bypasses OS-level app sandboxing checks

Android:
- Enabled via "Unknown Sources" / "Install unknown apps"
- Common vector for banking trojans and stalkerware

iOS:
- Requires jailbreak (historically) or Enterprise certificates
- Abused via MDM profiles to install unsigned apps

Mitigation:
- MDM policy: disable sideloading
- Enforce app store only via MAM (Mobile Application Management)

Jailbreaking / Rooting

Bypassing OS security restrictions to gain elevated privileges.

Risks:
- Removes app sandboxing protections
- Disables secure boot verification
- Malware gains system-level access
- Enterprise security controls (MDM) can be bypassed

Jailbreak detection (iOS):
- Cydia app present
- /Applications/Cydia.app writable
- /bin/bash exists

Root detection (Android):
- su binary present
- Superuser.apk installed
- Build.prop modified (ro.debuggable=1)

Mitigation:
- MDM: detect and block jailbroken/rooted devices
- Compliance check before granting corporate resource access

Mobile Malware Types

Network-Level Mobile Risks

Man-in-the-Middle on public Wi-Fi:
- Device auto-connects to known SSID (evil twin)
- SSL stripping if HSTS not enforced
- Intercept unencrypted app traffic

Mitigation:
- VPN for public Wi-Fi
- Certificate pinning in apps
- Disable "auto-join" for open networks

Bluetooth risks:
- Bluesnarfing: data theft via Bluetooth
- Bluebugging: device control
- Keep BT off when not in use
- Don't accept unknown pairing requests

Physical Device Threats

Lost / stolen device:
- Full disk encryption → protects data at rest
- Remote wipe via MDM (Find My / Intune / Jamf)
- Strong PIN/biometric screen lock
- Auto-wipe after N failed attempts

Shoulder surfing:
- Privacy screen filter
- Biometric unlock in sensitive areas

Charging stations (juice jacking):
- Use power-only USB cable (no data pins)
- Use USB data blocker (PortaPow)
- Use AC adapter instead of USB port

Mobile Security Best Practices

Device:
- Keep OS and apps updated
- Enable FDE (on by default in modern Android/iOS)
- Use strong PIN or biometric
- Enable remote wipe

Apps:
- Install only from official stores
- Review permissions before granting
- Revoke unused permissions
- Use app isolation / work profile

Network:
- Use VPN on untrusted networks
- Prefer Wi-Fi calling + Signal for sensitive comms
- Avoid SMS for sensitive auth

OWASP Mobile Top 10 (2024)