From Nokia to iPhone: What Pen Testers Learned

Your smartphone knows if you brake too hard, speed on highways, and exactly where you are every second – and insurance companies want that data to price your policy. Mobile security has come a long way from the days when phone freaks used special tones to make free international calls, but the fundamental problem remains: users accept permissions they don't understand for apps that demand more than they need. From overlay attacks that steal banking credentials to the European Union forcing Apple to allow alternative app stores, the line between usability and abuse grows thinner every year.

Podcast Episode: From Nokia to iPhone: What Pen Testers Learned

In this episode, I talk with Bartosz Czernic-Goławski, a penetration testing and cybersecurity expert, about how mobile security has evolved from Nokia's indestructible brick phones to today's pocket-sized computers. We trace the journey from analog networks that anyone could eavesdrop on to modern smartphones that demand excessive permissions and collect sensor data every second. Bartosz reveals how attackers use overlay attacks to steal banking credentials, why iOS users aren't as secure as they think, and what phone freaks in the 1980s can teach us about today's vulnerabilities.

"Attackers know what apps we are working with, we are using, and they take advantage of it." - Bartosz Czernic-Goławski

Bartosz Czernic-Goławski is a non-functional tester with six years of professional experience, currently working at Pentacomp as a security auditor and penetration tester. He holds an Engineering degree in Telecommunications and a Master’s degree in Applied Computer Science with a specialization in Cybersecurity—both earned at the Warsaw University of Technology.In his work, he focuses on the security testing of systems developed by Pentacomp, as well as conducting penetration tests and audits for external organizations. Commercially, he has tested mobile, web, and desktop applications, as well as IT and OT environments. He has had the opportunity to assess systems used daily by millions of people in Poland, as well as components of critical infrastructure.He is also involved in delivering cybersecurity training, particularly related to secure working practices and compliance with requirements such as NIS2.

Highlights der Episode

• Modern smartphones are computers collecting sensor data constantly, blurring usability and surveillance boundaries.
• Android's openness enables easier malware distribution; iOS restrictions provide better security by design.
• Overlay attacks place fake login screens over real apps, stealing credentials from banking apps.
• Old GSM networks still work but lack encryption, making conversations vulnerable to eavesdropping.
• App permissions exploit user laziness—people accept everything without reading what they're granting.

The Evolution of Mobile Security: From Indestructible Nokias to Smartphones in Our Pockets

The ways we use our phones have transformed dramatically over the last two decades. In this episode of "Software Testing Unleashed," host Richie chats with cybersecurity and penetration testing expert Bartosz Czernic-Goławski about the journey mobile security has taken, what’s driving that evolution, and what users and developers should be thinking about to stay safe.

From Simple Phones to Powerful Computers

It’s almost hard to remember a time when our phones were just that—phones. Bartosz Czernic-Goławski and Richie remind us how the infamous “unbreakable” Nokia 3310 could hold a charge for a week and, as a joke, could even serve as a brick in a real-world emergency. Its purpose was clear and limited: make calls, send texts, and maybe play a game or two. The security risks were minimal, mostly because the scope of “hacks” was so limited: eavesdropping on analog calls if you had special equipment was about as far as it went.

As our devices have transformed into full-scale mobile computers, so has the type and seriousness of threats. Today’s smartphones can do everything from online banking and storing sensitive documents, to tracking our location and controlling our smart homes—which means their vulnerabilities are much more attractive to attackers.

The Expanding Attack Surface: Devices, Apps, and Networks

According to Bartosz Czernic-Goławski, security is not just about the devices—it’s about the networks, apps, and especially the users. The evolution from analog networks, where phone scams involved simple tricks like phreaking (using tones to fool the exchange system into giving free calls), to today’s LTE and 5G connections has brought in strong cryptographic protocols and vastly improved security. However, new possibilities also bring new risks.

A major takeaway is that old mistakes often come back in new forms. Where once a simple eavesdropper could listen in to analog calls, now sophisticated malware or social engineering attacks can compromise modern mobile platforms in far more invasive ways. For example, attackers on Android exploit the open ecosystem to sneak malicious apps into official app stores or trick users into installing malware through social engineering.

Malicious Apps and Permissions: The Hidden Dangers

A recurring modern theme in mobile security is permissions and user behavior. Bartosz Czernic-Goławski points out that Android’s openness makes it easier to distribute malicious apps—it’s simple for users to download and install anything, even from unofficial sources. On the other hand, iOS remains much stricter, but regulatory changes (like the EU’s Digital Markets Act) are forcing it to open up, with unpredictable consequences for the average user.

Another risk involves excessive app permissions. Many apps request far more access to your device than necessary—GPS, microphones, and even overlay abilities that can be abused to steal your data. Bartosz Czernic-Goławski describes overlay attacks, where a malicious app mimics a login screen over a legitimate one, capturing your credentials when you think you’re logging into Facebook or your banking app.

Data Collection and Privacy Trade-offs

Mobile security isn’t just about malware; it’s deeply connected to how much we let companies monitor us. Insurance companies, for example, increasingly want access to our phone’s sensors to assess how we drive and offer discounts—raising important questions about where convenience gives way to privacy violations. The data collected by our devices can end up in places we never intended, from AI training sets to shadowy corners of the internet.

Awareness Is Our Best Defense

The message both experts emphasize is that awareness is still the strongest protection. We should question what apps really need and whether convenience is worth the permissions we’re granting. Convenience often wins, but as Bartosz Czernic-Goławski puts it, knowing the risks is half the battle.

As much as technology evolves, some things remain the same: human error and user habits are often the weakest link. Whether it’s picking strong passwords, questioning app permissions, or opting for privacy-friendly alternatives, staying informed is our best bet in minimizing risk.

Whether you’re holding onto an old Nokia out of nostalgia or living life entirely through your smartphone, the evolution of mobile security touches us all. As Richie sums up, the computers we carry in our pockets are as powerful as they are potentially vulnerable. Staying aware—and a little bit skeptical—goes a long way toward keeping them safe.