Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

4.2 Mobile, Social Network & Cloud Security Issues

Lesson 19 of 21 in the free E-Commerce notes on Siksha Sarovar, written by Rohit Jangra.

4.2 Mobile, Social Network & Cloud Security Issues

E-commerce now runs primarily on mobile, generates traffic via social networks, and is hosted in the cloud — each platform has its own security challenges.

1. Mobile Platform Security Issues

Why mobile is risky

  • Personal device, sometimes shared — family use the same phone
  • Multiple apps with overlapping permissions — game asks for SMS access
  • Lost / stolen more often than laptops
  • Sideloading (Android) — apps from outside Play Store
  • Public WiFi usage — coffee shops, airports
  • Always-on, always-connected — broader attack window
  • Notifications expose data on lock screen

Common mobile threats

ThreatDescription
Malicious appsFake apps in app store; sideloaded malware
App permission abuseApp requests / receives more permissions than needed
Insecure data storageApp stores card / OTP unencrypted on device
Insecure communicationApp uses HTTP instead of HTTPS
Reverse engineeringApp reverse-engineered to find vulnerabilities
Rooting / JailbreakingBypasses OS security; many apps refuse to run
SIM-swap fraudTelecom employee tricked into porting victim's number → OTP intercepted
SMS interceptionOTP read by malicious app with SMS permission
Phishing via SMSSmishing — clicked link installs malware
Public WiFi MITMCaptive portal attacks

Mobile security defences

For app developers:

  • OWASP Mobile Top 10 — best-practice guide
  • Certificate pinning — apps verify server cert manually
  • Encrypted storage — Android Keystore, iOS Keychain
  • Obfuscation — make reverse engineering harder
  • Anti-tampering checks — detect rooted devices
  • Biometric auth — fingerprint, face ID
  • Force HTTPS — disable cleartext network

For users:

  • Install apps only from official stores
  • Review permissions before granting
  • Update OS and apps regularly
  • Don't root / jailbreak unless you know risks
  • Lock screen with strong PIN / biometric
  • Encrypt full device storage
  • Use VPN on public WiFi
  • Use Mobile Device Management (MDM) for company devices

Indian mobile-fraud trends

  • Fake banking apps mimicking SBI, HDFC, ICICI
  • OTP harvesting malware in WhatsApp APKs
  • SIM swap to defeat 2FA
  • UPI phishing via WhatsApp/Telegram
  • Fake KYC apps stealing PAN/Aadhaar

---

2. Social Network Security Issues

Threats from / via social networks

ThreatDescription
Identity theft via profile dataBirthdate, school, pet name → security-question answers
Social engineeringBuild trust via fake profiles, then attack
Account takeoverCompromised social → linked accounts
Phishing via DMs"Hey check this out" with malicious link
Romance scamsLong-con relationships for financial fraud
Investment scamsFake influencers promoting Ponzi schemes
Job scamsLinkedIn fake recruiters asking for fees
CatfishingFake identities for various scams
DoxxingPublishing private info to harass
Malicious apps / extensionsThird-party apps with broad permissions

E-commerce-specific social issues

IssueDescription
Fake reviewsPaid 5-star or fake 1-star reviews
Counterfeit adsBrand impersonation in ads
Influencer fraudBought followers / engagement
Brand impersonationFake company pages
Customer service impersonationReplying to customers as fake brand
Coupon scams"Free product" leading to data harvest
Live-stream scamsFake products in live commerce

Defences

  • Verify brand handles (blue tick / verified badge)
  • Privacy settings — limit profile visibility
  • Strong, unique passwords + 2FA on social
  • Beware too-good-to-be-true offers
  • Report fake profiles to platforms
  • For brands: social listening tools (Brand24, Talkwalker) to detect impersonation

---

3. Cloud Security Issues

The shift to cloud has changed the security model. Cloud is a shared responsibility:

ResponsibilityAWS / Azure / GCPCustomer
Physical security
Network infrastructure
Hypervisor / VM isolation
OS patches (PaaS / SaaS)
OS patches (IaaS VMs)
Applications
Data
Access control / IAM
Encryption keys✓ (customer-managed option)
Compliancepartialpartial
"Shared responsibility model" is a mandatory IPU concept for cloud security.

Cloud-specific threats

ThreatDescription
Misconfigured S3 bucketsOpen to internet, expose data
Stolen / leaked API keysGitHub-leaked AWS keys → mining bills
Insider threatsCloud admin abuses access
Multi-tenant escape(Rare) VM escape to other tenants
Account takeoverCompromised IAM credentials
DDoSEasier to launch from cloud (cheap VMs)
Data residencyCompliance — where is data stored?
Vendor lock-inHard to migrate; supplier risk
API vulnerabilitiesCloud control-plane APIs
Insecure interfacesMisconfigured Kubernetes, exposed databases

Famous cloud breaches

YearIncidentCause
2017Equifax 147M recordsApache Struts vulnerability on AWS
2018Capital One 100M recordsMisconfigured AWS WAF
2019Facebook 540M recordsMisconfigured public S3
2020SolarWindsSupply-chain attack
2023T-Mobile 37M recordsCloud API exposure

Cloud security defences

LayerDefence
IdentityIAM with least privilege; MFA for all human users; rotate service-account keys
NetworkVPC isolation; security groups; private endpoints
DataEncrypt at rest + in transit; customer-managed keys (KMS); data residency policies
WorkloadOS patching; container scanning; runtime protection (Falco, Sysdig)
MonitoringCloudWatch, CloudTrail, GuardDuty; alerts on unusual activity
ComplianceAudit configurations (AWS Config, Azure Policy); automated remediation
BackupCross-region, immutable backups

Cloud Security Tools

ToolType
AWS GuardDuty / Azure Defender / GCP Security Command CenterThreat detection
AWS WAF / Cloudflare / Azure Front DoorWeb application firewall
AWS Shield / Cloudflare DDoSDDoS protection
AWS KMS / Azure Key Vault / GCP KMSKey management
AWS Config / Azure PolicyConfiguration compliance
AWS IAM Access AnalyzerIdentify over-permissioned roles
Wiz, Lacework, Orca, Prisma CloudThird-party CSPM (Cloud Security Posture Management)

---

Cloud Service Models — security responsibilities

The customer's security burden shrinks as you move up the cloud stack — but it never hits zero. With IaaS (EC2, Azure VMs, Google Compute Engine), the cloud provider handles the physical datacentre, networking, and hypervisor, but the customer is still responsible for OS patching, application security, data, IAM, and network rules — essentially everything from the operating system upward. With PaaS (Heroku, AWS Elastic Beanstalk, Vercel), the OS and runtime are handled by the provider; the customer manages only application code, data, and IAM. With SaaS (Shopify, Salesforce, Google Workspace), the provider runs the entire application; the customer's remaining job is to manage their data inside the application, IAM, and user permissions — but a misconfigured admin role can still leak millions of records, so SaaS is not "no security work."

---

Compliance frameworks for cloud e-commerce

FrameworkScope
PCI-DSSIf handling card data
GDPREU citizen data
CCPA / CPRACalifornia consumers
HIPAAUS health data
SOC 2Service organisations
ISO 27001Information security management
DPDP Act 2023India personal data
RBI Cybersecurity GuidelinesIndian banks / payment systems
IT Act 2000India

A typical Indian e-commerce site needs PCI-DSS + DPDP Act compliance at minimum.

---

Key Terms — Lesson 4.2

The terms below cover the three platforms (mobile, social, cloud), the regulatory landscape, and the compliance vocabulary needed for any commerce-security PYQ.

OWASP Mobile Top 10 — The Open Web Application Security Project's catalogue of the ten most critical mobile-app security risks — improper credential use, insecure communication, inadequate input/output validation, security misconfiguration, insecure data storage, insufficient cryptography, insecure authentication, insufficient binary protections, and more. The standard checklist for any mobile-app security review.

Sideloading — Installing an Android app from outside the Play Store — by downloading the APK directly or using a third-party store. Sideloading bypasses Google's malware screening and is the most common route for fake banking apps and OTP-stealing malware in India. iOS does not permit sideloading without jailbreak; Apple is now adding limited sideloading in EU markets under the Digital Markets Act.

Certificate Pinning — A defence in mobile apps where the app bundles the expected server certificate (or its public-key hash) and refuses to talk to any server presenting a different certificate. Certificate pinning defeats most MITM attacks — even if an attacker has tricked the OS into trusting a malicious CA, the app refuses the connection.

Rooting (Android) / Jailbreaking (iOS) — Removing the operating-system restrictions to gain admin-level access on the device. A rooted/jailbroken device can run apps the OS would normally block, but loses many security guarantees. Most Indian banking apps refuse to run on rooted devices.

Mobile Device Management (MDM) — Enterprise software (Microsoft Intune, VMware Workspace ONE, MobileIron, Hexnode) that lets a company enforce security policies — encryption, screen lock, app whitelists, remote wipe — on employee devices. Mandatory for any organisation issuing devices to staff or running BYOD with access to sensitive data.

SIM-Swap Fraud — The attacker convinces (or bribes) a telecom employee to port the victim's mobile number to a SIM the attacker controls. Once they own the number, every SMS OTP — for banks, wallets, exchanges — lands on the attacker's device. SIM-swap fraud has been one of the fastest-growing fraud categories in India.

Phishing via Social (Spear Phishing on LinkedIn, Instagram DMs, WhatsApp) — Targeted social-engineering attacks that use information harvested from the victim's social profile to craft a believable lure. LinkedIn is a particular goldmine for whaling attempts on executives.

Catfishing — Creating a fake identity online — usually with stolen photos — to deceive a victim into a relationship (often romantic), then exploit them financially or emotionally. Romance scams are a billion-dollar global fraud category and are growing in India through dating apps and matrimonial sites.

Shared Responsibility Model — The cloud-security framework that defines what the cloud provider is responsible for (physical datacentre, network, hypervisor, managed services) vs what the customer is responsible for (data, IAM, configuration, application code, OS for IaaS). AWS, Azure, and GCP all publish their version of this matrix; every cloud-security PYQ expects you to invoke it.

IAM (Identity and Access Management) — The cloud subsystem that governs who can do what in the account — users, groups, service-accounts, roles, permission policies. Misconfigured IAM (overly broad permissions, long-lived access keys, no MFA on root) is the root cause of most cloud breaches. The guiding principle is least privilege — grant only the minimum needed.

Misconfigured S3 Bucket — The most common cloud-data-breach pattern: an Amazon S3 bucket holding sensitive data is accidentally set to public read, indexed by Shodan or other search tools, and anyone on the Internet can download the contents. Capital One, Facebook, US Department of Defense, Indian education company Vedantu, and many others have all suffered S3-misconfiguration breaches.

API Key / Service Account Credentials Leak — An access key or service-account JSON file accidentally committed to a public GitHub repository, then scraped by attackers within minutes. The classic next step: spinning up cryptocurrency-mining VMs that run up tens of thousands of dollars in bills before the owner notices. GitHub's secret-scanning and rotation automation can mitigate this.

CSPM (Cloud Security Posture Management) — A class of tools (Wiz, Lacework, Orca, Prisma Cloud, AWS Config) that continuously audit a cloud account for misconfigurations — public S3 buckets, IAM roles with excessive permissions, exposed databases, unpatched workloads — and flag them for remediation.

WAF (Web Application Firewall) — A filter that sits in front of a web application and blocks malicious requests — SQL injection patterns, XSS attempts, known bot signatures, abusive request rates. AWS WAF, Cloudflare, Azure Front Door, and Imperva are the dominant choices.

DDoS Protection / Mitigation Service — Specialised services (AWS Shield, Cloudflare Magic Transit, Akamai Prolexic) that absorb and scrub DDoS traffic at the network edge before it reaches the origin. Almost every high-traffic e-commerce site sits behind one.

MFA (Multi-Factor Authentication) — Authentication that requires two or more independent factors — something you know (password), something you have (OTP, hardware token, app push), something you are (biometric). MFA is the single most effective control against credential theft. Banks, payment gateways, and serious SaaS platforms all enforce MFA for admin users.

Encryption at Rest vs in Transit — Two complementary controls. At rest: data on disk (databases, S3, EBS volumes, backups) is encrypted so a stolen disk or compromised snapshot yields ciphertext. In transit: data moving between client and server, or between services inside the cloud, is encrypted via TLS so a sniffer captures only ciphertext. Modern cloud services encrypt at rest by default; in-transit encryption is enabled explicitly by the developer.

KMS (Key Management Service) — Cloud-managed key-management — AWS KMS, Azure Key Vault, GCP KMS. KMS holds encryption keys in hardware-security-module-backed storage and issues per-request decryption operations rather than letting the key leave the vault. Customer-managed keys (CMK) let the customer retain ultimate control over key lifecycle and revocation.

CERT-In (Indian Computer Emergency Response Team) — India's national agency for responding to cybersecurity incidents, under the Ministry of Electronics and IT. CERT-In issues advisories, coordinates incident response, and (since 2022) requires Indian companies to report material breaches within 6 hours of detection.

PCI-DSS (Payment Card Industry Data Security Standard) — Compliance standard mandatory for any merchant or service provider storing, processing, or transmitting card data. Twelve domains covering network security, encryption, access control, monitoring, vulnerability scans, and policy. Audit frequency depends on transaction volume tier (Level 1, 2, 3, 4).

GDPR (General Data Protection Regulation) — The European Union's 2018 data-protection law. GDPR applies to any company handling EU residents' personal data — even from outside the EU — and imposes fines up to 4% of global annual revenue or €20 million, whichever is higher. The template for most modern data-protection laws worldwide.

DPDP Act 2023 (Digital Personal Data Protection Act) — India's comprehensive data-protection law. DPDP defines Data Principals (the citizen whose data is being processed), Data Fiduciaries (companies that process data), the Data Protection Board (the enforcement body), and penalties of up to ₹250 crore for serious breaches. DPDP applies extraterritorially — to anyone processing personal data of Indians, even from outside India.

SOC 2 — A reporting framework (American Institute of CPAs) covering the Trust Services Criteria — security, availability, processing integrity, confidentiality, privacy — for service organisations. SaaS vendors selling to enterprise buyers almost universally complete an annual SOC 2 audit; many Indian e-commerce SaaS startups pursue SOC 2 as part of going upmarket.

ISO 27001 — The international standard for Information Security Management Systems (ISMS). ISO 27001 certification is widely recognised by enterprise buyers globally and is often required for B2B sales into regulated industries.

---

Indian Cybersecurity Regulators

The Indian cybersecurity regulatory landscape has several overlapping bodies. CERT-In (Computer Emergency Response Team — India, under MeitY) is the national incident-response body and the entity that issues binding security advisories to industry. RBI sets cybersecurity expectations for banks, NBFCs, and payment system operators — including the Cybersecurity Framework for Banks (2016) and the Master Direction on Digital Lending. TRAI regulates the telecom side (mobile network operators) and increasingly DLT-based commercial-SMS sender registries. SEBI sets the rules for stock exchanges, depositories, and brokers. MeitY (Ministry of Electronics & IT) owns the IT Act and the broader digital-policy framework. NCIIPC (National Critical Information Infrastructure Protection Centre) focuses on protecting designated "critical information infrastructure" — power grids, telecom backbones, banking core systems. DSCI (Data Security Council of India) is the industry body run by NASSCOM that aggregates best practices and serves as the data-privacy and cybersecurity self-regulator.

---

Study deep

  1. Mobile is now the dominant attack surface. 80%+ of e-commerce traffic is mobile. App security gets less attention than web security but the risk is comparable or higher.
  1. Social engineering scales via social networks. Pre-Facebook, social engineering required physical proximity or phone. Today, attackers can profile and target millions via LinkedIn / Twitter / Instagram.
  1. Cloud misconfiguration is the #1 cloud-security issue. Not technology failures — human configuration errors. AWS S3 public buckets, exposed Kubernetes APIs, IAM roles with admin-everywhere. CSPM tools help.
  1. The "human" is still the weakest link. No matter how good the technology, a phishing email to one employee can compromise the company. Security awareness training has measurable impact on incident rate.
  1. Indian context: Aadhaar adds attack surface. Aadhaar-linked KYC means a single identity compromise can affect bank account, SIM, e-commerce, government services. The DPDP Act 2023 tightens data protection but enforcement is nascent.
PYQ pattern: "Discuss mobile, social network and cloud security issues in e-commerce." — One paragraph per platform; list 3-4 threats per platform; mention 1-2 defences per area. Touch on shared-responsibility model for cloud.