The thought for this blog post started with the idea of security regarding remaining logged in to mobile apps. The question being does that open any doors for hackers to access data on either other apps or your phone? It ended up going down quite a rabbit hole of security and hacking techniques that only go to show that cybercrime and security is ever-present and evolving.
Cross-Site Request Forgery (CSRF) has been a known vulnerability since 2001. According to The Open Web Application Security Project CSRF is defined as:
A type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim.
If you are logged in to sites and the cybercriminal can get you to visit one of their web sites or open an infected email or IM they then can make your browser send requests to the other sites posing as you. Thus, gaining access to whatever you have open. This kind of attack generally only occurs within the same browser. In other words, having clicked on a malicious site the attack could flow across any other sites you have open within that browser. Not jump to another browser say Safari to Firefox. An open browser could not transfer the attack to an open app as the two store their own credentials or cookies and do not share. The same goes for apps themselves. They store their own data. The malware would need a conduit to access other apps or your phone.
Heck of an opening to a business blog. Why do you need to know this? It is why it is important to log out of company websites and software either on your desktop or your mobile.
Developing security
Over the years sites and apps have become more security conscious. Shutting down your logon after a period of non-activity and/or making you log in every time. Sometimes a pain to log back in but it’s for your own security. With the addition of biometric features on mobiles, even the pizza ordering apps require a fingerprint to gain access. Games and social media apps/sites tend to keep you logged in. The term being “frictionless” because the developers want you to have easy access, at all times, to keep you engaged in their product.
We do a lot of browsing and an increasing amount on our mobile devices. Lots of times your thumbs get fat and you errantly click on the wrong thing. It doesn’t take much to click on the wrong link, even if you close it right away it may be too late. The same goes for links within emails. We get a ton of email to business accounts. It’s hard to distinguish every email between real and spam. Spam emails and links get opened. When employees are accessing company databases and files they are using those same computers to access their company email. Depending on computer use policies or adherence to the policy, employees may also be accessing their personal email accounts and browsing the web. This is when the company system becomes vulnerable to CSRF attacks and others.
Watering hole attack
It is what the name implies. A cybercriminal monitors a company’s employees to determine where they congregate, e.g.-restaurants, bars, etc. The criminal bets that one or more of the employees will access the “watering hole’s” website for menu information, reservations, etc. The criminal places malware on the establishment’s site. When an employee does visit the site the criminal then has access to the employee’s computer or phone. Any company files or databases that are open (logged in to) are now free game for the criminal.
None of this is or the precautions are new. The same security tenets we’ve heard over and over still hold true.
Don’t open or click on suspicious emails or links in emails texts/IMs especially while logged into other accounts.
Don’t keep sites open-Logout
Change passwords frequently
Don’t use the same password for multiple sites
Don’t save passwords on your browser
Keep system security updated
I’m not a cybersecurity expert just a security conscious user. Hope that this information has been helpful.
Regarding the initial reason, I started doing this research, open mobile apps. It appears that it is OK to leave them open. Again most security conscientious apps like financial will time out and require login. So a criminal gaining access to your phone and then entering your bank account through your bank app is probably low.
Most risks to mobile apps occur at the server level or through poor app development, not actions by the user. Although using public WiFi (Wifi for dummies) is one of the biggest user faults to app security.
Research for the blog revealed information debunking an iPhone myth. Quitting apps does not help save battery life. The iPhone OS is designed for multitasking and places the app in suspension until needed. Closing and reopening the app actually causes the phone to use more power as it is starting the app from scratch. So keeping open frequently used apps doesn’t affect battery life.
Please feel free to share. Check the archives for other posts about privacy and online security.
