It’s Time to Reassess Your Mobile App Security
As personalized mobile experiences driven by Artificial Intelligence (AI) are becoming commonplace due to widespread digitization, cybercrime is an inevitable reality that is clocking a relentless uptick globally. Despite the ready consumption of various mobile applications by users, the nature of cyber threats and attacks can shake the trust of even these knowledgeable and committed users. The BFSI apps on mobile devices are especially becoming the attractive soft targets for various cybercrimes. App users are very much aware of this fact as becomes evident from a survey that has revealed that 81% people would change their app vendor because of security. Keeping this in mind, large organizations are spending $1,859,688 yearly on mobile app security on an average.
It is important to get into the virtual mindsets of cyber criminals first before attempting to counter them. We need to come to grips with the methodologies of hacking into the residual vulnerabilities of current technologies. We will elaborate on the best design and development practices at various levels to embed security into mobile apps from the ground up. Beyond the implementation of the best practices and keen awareness of the dynamic environment around us, it is imperative to establish an effective and robust incident response and remediation system. This will go a long way in defusing any attack quickly, minimize damage and recover fast.
The findings of the Identity Theft Resource Center’s (ITRC) reports are alarming. The number of reported data breaches has skyrocketed by 102% from 781 incidents in 2015 and 980 incidents in 2016 to 1579 incidents in 2017. The total number of exposed financial records grew from 71,912 in 2016 to 3,122,090 in 2017. This should give a clear signal that the financial sector is in the crosshairs of the cybercriminals.
Under the Hood of Malware – Huge Security Risks
Two high-profile data breaches at Sony and Yahoo have grabbed global headlines in recent years and brought back cyber security into prominence as a glaring gap in many major businesses. According to Macquarie research, the estimated cost of the data breach at Sony in 2014 was USD 83 million in addition to strained employee relations and trust while Yahoo’s market valuation dropped by about USD 300 million after the major breach involving 500 million users in 2016 went public. It is evident that the losses are more than just financial in nature as such incidents severely dent the trust and reputation of the companies involved.
There were other data breach incidents such as Gooligan that 74% of the Android systems in 2016 were vulnerable to, FalseGuide that affected over 2 million users from November 2016 to April 2017 and BankBot, a banking Trojan that affected customers of over 400 banks. Some of this malware is continuing to wreak havoc through its variants over time.
If we look under the hood of the popular malware threats such as Hiddad, HummingBad, and Ztorg on Android and AceDeceiver, Pegasus on iOS, we find that their toolbox is quite sophisticated. They use various techniques such as Binary code analysis, OS vulnerabilities, Network communication monitoring, Accessing log files and Accessing Data Storage such as key stores, digital certificates, configuration profiles.
The general causes of security risks in mobile apps can be summarized as:
- Insecure data storage
- Zero or poor encryption
- Weak authorization and authentication protocols
- Inadequate transport layer protection
- Unintended permissions
- Escalation of privileges
Best Practices to Make Mobile Apps More Secure and Reliable
Gartner reports that mobile attacks are continuing to increase and the biggest concern among them is malware. While sensitizing users is an essential preemptive measure, it is also critical that we implement mobile app security in a strong, yet easy-to-use manner. What exactly can be done to make the mobile apps more secure, reliable and protect growing digital businesses?
At the development level, there are several best practices that can be implemented within the DevOps cycle:
- Developer Awareness: Developers must be trained in security controls such as Cryptography, TLS and Keychain storage. They should also be sensitized about security implications of a breach.
- Secure Data Storage: Data identified as sensitive should not be stored. If necessary, it should be encrypted with password security and the password should be on a different data store.
- Secure Communication: Communication over the network should use protocols like TLS3 or higher. Server certificate pinning and client certificate verification should be implemented.
- Robust Authentication: Along with a strong password policy, session authentication tokens should not be stored in any digital footprint and must expire in a reasonable time frame.
- Strong Cryptography: Password-based encryption techniques such as AES 256 should be implemented with password in Keychain-like storage.
- Minimum Privilege Policy: Mobile apps must always use the bare minimum privileges necessary to execute a function. Higher privileges, even when obtained, should be renounced immediately after use.
- Secure Coding Practices: Application code review checklists should include secure coding practices without fail.
- Binary Hardening: Third-party tools like Arxan-Application Protection for Mobile or IBM Security Trusteer Mobile SDK should be considered for strong binary protection.
- Code Obfuscation: Code obfuscation tools must be used to prevent reverse engineering attempts.
- Security Audit: Code auditors must be employed to identify and plug any hidden backdoors in the code.
- OAuth 2.0, JWT, and OpenID Connect: Put Identification, authentication, and authorization measures such as OAuth 2.0, JWT, and OpenID Connect in place.
As these are implemented, explicit design choices for protocols, algorithms and data must also be made and a conscious balance of security vs. usability must be realized. It should also be kept in mind that App should be secure but at the same time file size, runtime memory, performance, and data and battery usage should not be impacted.
At the high-level design stage, Mobile Apps can be hardened and made resilient by implementing next-gen mobile app security through recommendations such as from FIDO alliance specifications below.
Beyond the above best practices at the development and design levels of Mobile app development, the following fundamental tenets will help plug common security vulnerabilities:
- Secure the application code from ground-up
- Secure network connectivity in the background
- Put rigorous Identification, Authentication and Authorization measures in place
- Secure Customer data and implement a superior mobile data encryption policy
- Make sure that a strong API security strategy is in place
- Effective software testing should be done as many times as needed
- Network Analysis is important. By creating a man-in-the-middle environment, users can monitor insecure data transmissions and network communications. Tools like Wireshark, Paros, or Charles Proxy can be used for the same.
- Binary / Dynamic Analysis (SAST& DAST) should be conducted. With static application security testing (SAST), apps are evaluated from the inside out to identify flaws and vulnerabilities in an app’s code that expose data. For dynamic analysis it uses real iOS and Android devices to perform dynamic application security testing (DAST) to assess mobile apps and detect vulnerabilities and risky behaviors during runtime.
Despite our best efforts to upstage a potential security attack, we need to accept the fact that the human element is the weakest point through which most attacks originate like in the case of a simple Phishing email transforming into a full-blown security attack on the enterprise. We need to reckon that the only security threat that we need to obsess over is the one that has not yet occurred. At the end of it, it makes strong business sense to establish and sustain a robust incident response and remediation infrastructure to minimize damage and recover quickly. To read more about mobile app security, please click here.