According to reports by the Internet and Mobile Association of India (IAMAI) and Kantar, India is expected to surpass 900 million internet users by 2025. When it comes to mobile handset security, three key aspects come into play: hardware, software, and the user.

Hardware Security

Most smartphones in India are made by foreign manufacturers. These manufacturers are often regulated by state agents, who instruct them to embed spyware, rootkits, and Trojans. There have been several cases where many Chinese manufacturers are accused of spying on users’ data and sending user data to their servers back in China. Even the Indian Air Force issued a general advisory, advising all their employees and families not to use such phones.

Application-level Threats or Software Threats

An important aspect of handset security is securing the applications installed on the mobile device. Users unknowingly install a number of applications that are malicious in nature. The presence of malicious applications is higher on the Android platform than on iOS. For iOS, there is a long and complex verification process carried out before the app appears on iTunes. Any app not present on iTunes cannot be installed on iOS devices unless they are jailbroken. This is not the case with Android. 

Another aspect of handset security is the unnecessary privileges sought by various legitimate applications. Permissions are basic access rights required by the apps to use various resources of the phone, such as the memory card, contacts, Wi-Fi driver, and calendar. Every function offered by your phone is a resource, and to access that resource, applications require permissions. For most smartphone users, they do not carry much weight. But when your average e-commerce app requires permission to access the microphone of your device, it raises red flags in the minds of cybersecurity advocates. There are certain permissions like microphone, location, camera, and read-write permissions to the memory card, which should be carefully managed. Various apps request privileges that they do not need. The best way to mitigate permissions of such apps is to use permission managers, which are now available with most mobile manufacturers.

Book Your Free Cybersecurity Consultation Today!

People working on cybersecurity

Statistical Analysis

  • According to a report by Zscaler, over 90 malicious Android apps with 5.5M installs were found on Google Play. 
  • Estimates suggest that the average global enterprise has approximately 2,400 unsafe mobile applications installed in its mobile environment. Consider your organization: if 84% of your employees are using the same phone for personal and business use, how long will it be before an infected app is installed by mistake?
  • In 2025, it’s estimated that corporate networks face a new malware download every few seconds, resulting in the detection of approximately 560,000 new malware samples each day, primarily from spam, targeted spear-phishing emails, infected websites, and other sources. 
  • Given all these facts, and considering that more than 84% of mobile users use the same phone for both personal and business purposes, one can understand how long it would take an infected mobile phone to compromise their entire office network.

The Way Out

For the uninitiated, it means that these applications can unknowingly leak your sensitive information to dedicated hackers. Despite their best efforts, such applications fail to protect users from identity and data theft. A major reason for such lax security is the lack of vulnerability assessments conducted by such applications. Most vendors don’t conduct basic security testing of applications, which leaves unintended security holes in these applications. Penetration testing services offered by Kratikal help to determine major security bugs beforehand and reduce the risk of data leaks by almost 99%.

Protect the users, too!

Lastly, we also have to address the weakest link in any security mechanism: the end users. An unaware and ignorant user renders the entire security process useless. Users should always keep their radars sharp and look out for malicious apps, signs of malware infections, spam links, drive-by downloads, etc. 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway.

Smartphone users have absolutely no idea of how complex and advanced cyber criminals have become. They unwittingly disclose their bank account details, OTPs, private information etc to cyber criminals. One prominent incident, a diverse racket of cyber criminals was discovered in Jamtara Village of Jharkhand, where hardly literate but street-smart villagers were outsmarting highly literate but ignorant city folks. Amongst their recorded victims are several IAS officers, executives, bank employees, and working women. This simple example shows the level of cyber illiteracy within our Digital Country.

Where to go?

Given all these facts and figures, it is quite evident that there is an urgent necessity to tackle these hardware, software, and user issues head-on. For hardware security, there is a need to extend and improve upon the Common Criterion Certification Scheme as devised by MeitY and other agencies. There is also a need to implement strong policy controls to regulate and punish the defaulters. We can also have an indigenous project to create an encapsulating encryption scheme to protect against data leakage to state-sponsored hacking by foreign players.

On the software part, the Cyber Swachhta Kendra is a novel initiative by the Government of India to provide free and competent antimalware solutions to all users. There is a need to continuously monitor and update the project in light of new malware, spyware, and other malicious applications. Organisations should focus on outsourced VAPT solutions rather than patting their own backs.

  • Everything said and done, the users still remain the weakest link in the security chain. Users should be given a comprehensive awareness of cybersecurity and the threats they face online. This can be done by large-scale training of users based on their requirements. 
  • We can have a basic training module for school students, non-tech employees of corporate entities, and the general public. We can offer a slightly advanced, practical training on cybersecurity and Secure SDLC to developers and entry-level IT professionals. 
  • For the management level guys, we should have a comprehensive risk assessment and vulnerability management training session. Organisations like IAMAI, FICCI, and DSCI are entering into strategic partnerships with professional cybersecurity training bodies like Kratikal to provide scalable, affordable, and refined cybersecurity training to the general public and IT professionals alike.
Cyber Security Squad – Newsletter Signup

Last Thoughts

With all these steps, we can be sure to achieve a great degree of protection from data breaches, privacy violations, and identity theft. Cybersecurity is an evolving field, and so are the criminals. To remain a step ahead of them, we have to think ahead. We need to develop a granular and encompassing plan to safeguard the interests of the individual as well as those of the country. There is a need for an integrated national strategy with respect to cyberattacks and cybercrime management. Once we overcome this policy paralysis, India can breathe a sigh of relief.

FAQs

  1. How can I protect my smartphone from pre-installed spyware and data theft?

    To protect your phone, buy devices from trusted brands, avoid cheap knock-offs, keep your OS updated, and install a reliable mobile security app. Always review app permissions and avoid downloading from unofficial sources.

  2. Why is mobile application security important for personal and business users?

    Mobile apps can leak sensitive data if poorly secured. With most people using the same device for work and personal use, a malicious app can compromise business networks. Use permission managers and perform regular app audits to stay protected.