From Nokia to iPhone: What Pen Testers Learned

Mobile security evolution covers how threats to phones, networks, and users have changed from analog systems to smartphones. Analog networks had no encryption and allowed anyone nearby to intercept calls. Today’s risks include malicious apps, overlay attacks that steal credentials by mimicking login screens, excessive app permissions, and social engineering like smishing. Awareness of these techniques is the primary defense.

Key Takeaways

• Analog mobile networks transmitted calls without encryption, making eavesdropping possible with nothing more than a nearby receiver, a vulnerability that drove the shift toward cryptographic standards in later generations.
• Overlay attacks on Android exploit legitimate app permissions to place invisible input fields over login screens, capturing banking and social media credentials without the user suspecting anything is wrong.
• Users accepting all app permissions without reading them, because convenience outweighs caution, is the primary mechanism attackers rely on to extract sensitive data from smartphones.
• Governments have requested push notification metadata from platform operators, proving that data types widely assumed to be non-sensitive can still expose user behavior and associations.
• Forcing older Android versions and legacy network technologies to remain supported, to serve users who cannot or do not upgrade, keeps known security weaknesses in active circulation across entire populations.

From a seven-day battery to a pocket computer

Mobile security started in an era when a phone had one job: make calls and survive a week on a single battery. The old Nokia 3310 became the icon of that age, durable enough to outlive its owner’s interest in it. Security was barely a question, because the device held little worth attacking.

That changed when the phone became a computer. Today’s smartphone bundles sensors, payment data, messaging, and identity into one object you carry everywhere. The attack surface grew with the feature set, and the security thinking had to catch up after the fact.

Bartosz Czernic-Goławski, a penetration testing and cyber security audit expert, frames mobile security across three layers: the networks, the apps, and the people. Each layer carries its own history of mistakes, and each one teaches something about how to build the next generation more safely.

Mobile networks carried their weaknesses from the start

Early analog networks had no encryption, so anyone with a device close enough to the phone could listen to the entire conversation. Calls travelled in the clear. Eavesdropping required proximity and equipment, not much else.

The human exploits of that era were just as creative. In the 1980s and 1990s, a group called phone freaks used specific tones and frequencies to manipulate telephone exchanges. They could signal an AT&T exchange that a call had ended while keeping the line open, then place a free call from the US to Europe. The system believed the line was free, the freaks knew otherwise, and long-distance calls that cost a fortune at the time went through for nothing.

Modern networks closed those gaps step by step. With LTE and 5G came real ciphers, encrypted calls, and more secure exchange of information between telecommunication operators. SIM cards are better protected. The design mistakes baked into GSM still exist where 2G runs, which is part of why an old phone is not automatically a safe phone.

Why old phones are not the safe choice you might expect

An old phone forces you onto old technology, and old technology carries old flaws. A device that only makes calls still rides on GSM, with all the design weaknesses that standard never shed. The eavesdropping and message-interception vectors that 5G addresses simply remain open on 2G.

The appeal is understandable. People grow tired of constant monitoring and consider dropping the smartphone for a plain handset that only makes calls. The convenience trade is real, and so is the urge to step away from it.

GSM still works in some countries, including Poland, so a basic phone remains usable for now. But coverage varies by country, and operators will eventually shut down the older networks. That creates its own problem for people who never replace their devices, an issue that shapes how new systems get built.

How mobile apps became an attack surface

App security had to be learned from the first iPhone onward, mistake by mistake. Early platforms exposed sensitive information in ways developers did not anticipate, and the safe patterns only emerged after the unsafe ones caused damage.

On Android, one app could force another to hand over sensitive information through exposed interfaces. Developers had to learn what an app may expose and what it must keep locked down. Push notifications, a newer feature, brought a fresh lesson: sensitive data does not belong in a notification.

The push notification metadata case made the point public. Governments, including US authorities, requested push notification metadata from Apple and Google. Many people assumed no sensitive information lived in that channel. It did. The pattern repeats across the platform’s history: ship a feature, discover the leak, learn, then fix.

Android and iOS distribute risk differently

Android’s openness makes malicious distribution easier. You can install an APK directly, which lowers the barrier for tricking a user into installing malware. Malicious apps surface in the Play Store, and side-loading gives attackers another path. Keeping the Android ecosystem secure has historically been harder than the more controlled iOS model.

iOS concentrates security in Apple’s hands, which has kept its store cleaner but does not make the platform immune. Abuse of accessibility services is a current concern on iOS. So are excessive permissions, where apps demand far more access than they need to function.

The European Digital Markets Act now requires Apple to allow alternative app stores on iOS, framed as a move against monopoly. Whether that helps user safety is an open question. Alternative stores may verify their apps well, but the Play Store’s history suggests that opening distribution makes security harder to maintain, not easier.

Overlay attacks turn familiar apps against you

An overlay attack draws a fake layer on top of a legitimate app, and on Android the permission to draw over other apps makes this possible. Messaging apps train you to expect floating chat bubbles and pop-ups that sit above whatever you are doing, so an extra layer does not look out of place.

The exploit targets habit. A login screen places its email and password fields in the same position every time. An attacker draws input boxes in exactly those spots. You believe you are typing your Facebook credentials into Facebook. You are typing them into the overlay, and the credentials are gone.

The same trick reaches beyond social media into banking apps. Attackers know which apps people actually use and build their fakes around that knowledge.

Excessive permissions blur the line between use and abuse

The sharper question today is where usability ends and abuse begins. A phone carries GPS, microphone, accelerometer, and more, and that sensor data is often not treated as sensitive. It should be.

Insurance offers a concrete example. A company may promise a better price for a good driver, then justify monitoring your sensors to define what good driving means. The phone reports how often you brake hard, whether you speed, where you go. Constant collection of that data, and whatever gets done with it afterward, runs far past the simple act of buying a phone to call your family.

Permission requests succeed because users are impatient. If you want a flashlight app, you accept everything it asks without reading the long list. Attackers and aggressive apps both rely on that fatigue. The same social pressure keeps people on WhatsApp when Signal or Telegram would be the safer choice. Convenience wins, and the data flows.

What actually keeps you reasonably secure

Awareness is the practical defense, because knowing the techniques attackers use changes how you behave. You may not control what a company does with your data, but you control the choices that block the common attacks.

On iOS, a few habits cover most of the risk:

• Do not jailbreak the device.
• Do not install apps from unknown sources.
• Treat permission requests as decisions, not formalities.

When you are aware of the techniques, you are pretty secure. Maybe not that secure if you are a president or something. Bartosz Czernic-Goławski

That caveat marks the line between ordinary users and high-value targets. Commercial spyware such as Pegasus widened the threat for politicians and other notable people, who now have to account for attacks that an average user never faces. For most people, the everyday danger is not state-grade spyware.

Social engineering is the bigger everyday threat

For ordinary citizens, social engineering campaigns do more damage than exotic exploits. Smishing and phishing aim straight at your payment card data or push you to install a malicious app. The attack rides on trust and routine rather than a technical flaw.

App cloning compounds the problem. Attackers copy an official app, alter it, and redistribute it. The motive is not always theft of your data. Sometimes the goal is to gain an advantage over a company.

Ride-hailing shows how that plays out. People build modified driver apps that fake the driver’s location. A driver far from the city center can appear close, so the app tells you a driver arrives in five minutes when the real distance is fifteen. Drivers use these tools because certain pickups pay better, and a fare from the city center beats one from the suburbs. The fake location quietly shifts the economics in the driver’s favor, at the passenger’s expense.