Assessing the State of Mobile App Security
All IT-enabled businesses today are moving toward Artificial Intelligence (AI) driven personalized digital experiences for their customers. This implies a critical need for customers’ trust in the underlying technology. At the same time, it has been observed that cybercrime is growing at an alarming rate and is shaking customers' trust in enterprise applications.
In the BFSI domain, mobile devices have emerged as soft targets. They often carry high value, confidential data of upper-end users, can be connected to the Internet, and have powerful processors to run the apps. Such attributes make mobile phones easy targets for professional hackers. Organizations must have a robust incident monitoring and response plan to minimize damages and recover from cybersecurity incidents.
Cybersecurity: Current State
As per Identity Theft Resource Center’s (ITRC) report, the total number of reported data breaches increased by 40% from 781 incidents in 2015 to 980 incidents in 2016. The number of incidents is already at 1022 as of September 21, 2017. The total number of records compromised in the financial sector during 2017 is already touching 2,780,837 from mere 71,912 last year. This clearly indicates that the financial sector is now a focused target for cybercriminals.
Mobile: Hackers’ Prime Focus
Cybercriminals today are highly skilled and resourceful. They primarily target mobile phone users for data, identity, and gaining remote access for further attacks. The goal of a hacker is to identify logical flaws and weakness in technologies for unauthorized access using various techniques including:
Binary Code Analysis
- Reverse engineering to understand the binary
- Embedded identities and key-generation routines
OS Exploits and Vulnerabilities
- Embedding malware
- Mobile botnets
- Data being sent or received from a server
- Crash logs, network, and system error logs
- Key stores used for encryption
- Application file system and database (SQLite etc.)
- Configuration profiles, digital certificates etc.
There are primarily three attack vectors for mobile apps: Network, OS vulnerabilities, and Malware. These are used to launch attacks on larger groups of targets and have far-reaching implications. Today, malware programs are the most commonly used mode for cyberattacks.
Threats on Android
Hiddad is an Android malware that tampers with legitimate apps published on third-party stores. Attackers use it to gain access to user data.
HummingBad is another Android malware that uses rootkit method to install malicious applications such as keylogger, and can even penetrate enterprises security to access confidential email.
Ztorg is a Trojan that uses privilege escalation to install applications without the user’s knowledge.
Threats on iOS
AceDeceiveris an iOS malware developed to exploit design flaw in FairPlay (Apple's DRM system) and install malicious apps on iOS devices. This "FairPlay Man-In-The-Middle" attack was initially used in 2013 for pirated apps, but has now transformed into a channel for spreading malware.
Pegasus is an iOS malware that scans the target device and installs additional software for listening to calls, capturing camera, recording login keys, and accessing contacts, emails, and messages. It is like a Swiss army knife for hacking. Its capability can be judged by the fact that it can disguise itself and even destroy itself if it finds the target to be uninteresting.
Few Noteworthy Cases of Mobile Data Breach
Some of the major data breach incidents on mobile are outlined below, providing a glimpse into the extent of compromised security and underlying threats.
- Gooligan is a variant of the “Ghost Push” family of malware that uses Towelroot and VROOT Android OS exploits to inject malicious code into Android system processes in order to gain root access. It is known to affect various versions of Android OS 4 and 5, which made up 74% of the devices in the market during fall of 2016
- FalseGuide attack started in November 2016 but became evident in April 2017. It was found embedded in guide applications for popular mobile games, including Pokémon Go, and is known to have affected two million users. Over 600,000 users were tricked by it into joining Android botnet that could be used to launch DDOS attacks.
- BankBot is a banking Trojan that targeted customers of over 400 banks including Citibank, ING, ABN, Rabobank, ASN, RegioBank, and BinckBank, among others. BankBot was also able to intercept text messages and delete them from the victim’s mobile in order to bypass 2FA security implemented by banks. It is reported that BankBot’s code was leaked through an underground forum, and experts fear a spike in the number of mobile attacks based on enhanced versions of the leaked code.
Implications of Data Breach
It is hard to put a dollar figure against any data breach because the loss is more than monetary. It includes associated intangible losses such as those of reputation, brand value, and customer trust. Experts are of the opinion that less-obvious costs like increased insurance premium start showing up a little late.
Case of Sony Data Breach
The Sony data breach included employee login details, e-mails exchanged between employees that revealed their viewpoint on prominent personalities, information about executive salaries in the company, and critical details on company strategy. Two employees also filed a Federal court complaint against Sony Pictures for not taking enough precautions to keep employee data safe. Analysts at Macquarie Research put the estimated cost of the data breach at USD 83 million, but the loss that went unaccounted was Sony's strained relations with people and businesses that it worked with
Case of Yahoo Data Breach
In the last quarter of 2016, Yahoo reported that over 500 million user accounts were compromised, causing a major embarrassment for the company. Following the breach discloser, Yahoo’s valuation dropped from USD 4.8 billion to USD 4.48 billion during its sale agreement with Verizon.
Save for LaterDownload White Paper
Mobile Security Trends
According to Gartner, mobile attacks are increasing and the biggest concern is mobile malware, as a majority of such attacks is attributed to malicious software. Mobile users often visit compromised websites and install apps from sources other than Apple and Google stores. While sensitizing users on information security is important, it is also necessary to implement mobile application security in a way that is both strong and easy to use.
Security vs. Usability
The bulk of mobile apps these days has a deficient approach to addressing information security, because the apps offer neither reliable protection nor an aesthetically pleasing interface. According to Verizon, 63% of the attacks in 2016 involved compromised passwords. We see that, passwords can turn problematic as they can be stolen in scalable attacks. As an alternative, stronger security methods like OTP are safe but inconvenient.
The divide between security and UX can be addressed by mobile device's hardware features like fingerprint scanner. This implies that users are compelled to trust original equipment manufacturers (OEMs) like Apple and Google. This may be debatable from a privacy perspective because Google gathers a good deal of our data for monetization, whereas Apple’s business model relies on selling phones rather than data, thus allowing better balance of security in its design. The security challenge then moves to taking reliability to the service provider authentication at the backend.
App Security by Design
Mobile apps must have security in the design and this must be built earlier in the development cycle, not as an aftermath of penetration testing result. Mobile developers should adapt to secure coding practices and leverage the recommended approach to deliver trustworthy apps.
The goal of mobile app design for the enterprise must be focused on mitigating the risk of exposing sensitive data through a compromised mobile app. This can be achieved by minimizing the amount of data exposed through the functionality delivered to the user. “Secure yet easy to use” is a crucial ingredient of great mobile apps.
In order to eliminate the risk, designers can always list down the design choices in code—protocols, algorithms, data formats—and prepare a security implementation checklist mapped with identified mobile vulnerabilities.
Mobile App Security: Some Best practices
Countering cybersecurity threats requires an understanding of vulnerabilities in the current technology and in the ways in which people use that technology. Listed below are some best practices for building secure mobile apps:
Mobile developers must be trained and sensitized about implications of an app security breach. They must remain cognizant of security controls like Cryptography, TLS, and Keychain storage.
Secure Data Storage
Sensitive data must be identified and not stored anywhere unless necessary. If it becomes necessary to store sensitive information, it must first be encrypted using password-based algorithms, and the password should be combined with salt and pepper and kept in a different data store than the secure information itself.
Any data exchange over the network must be executed using protocols like TLS 3 or later. When communication is with a known server, certificate pinning check must be implemented. Additionally, client certificate verification can also be implemented.
Strong password policy should be enforced. Session authentication tokens should not be stored in cookies and digital footprints. They must expire in reasonable timeframes, depending on use cases.
Any data that needs to be stored must use password-based encryption techniques like AES 256. The password itself must be stored in Keychains like storage that is assumed safe.
Minimum Privilege Policy
A mobile app must always obtain the minimum privilege level necessary to execute its functions. Higher-level privileges must be denounced immediately after the use is over.
Secure Coding Practices
All application code review processes must include a checklist for secure coding practices for Android as well as iOS.
Third-party tools like Arxan—Application Protection for Mobile—or IBM Security Trusteer Mobile SDK must be considered for binary protection.
Code obfuscation tools must be used to prevent reverse engineering.
Code auditors must be employed to help identify hidden backdoors.
Toward a Better Approach to App Security
Based on the analysis of vulnerabilities and threats in mobile, FIDO Alliance specifications (Figure 1) can be used for implementing the next-generation mobile app security and making apps resilient to scalable cyberattacks. The key paradigm here is introduction of biometrics-based user identification and public key cryptography for authentication with mobile backend. The aim is to leverage new technologies like Trusted Execution Environment (TEE) and Secure Element for better safeguarding of sensitive data in mobile devices. This eliminates the use of cumbersome passwords that are difficult to enter for users on the move and carry the risk of being stolen.
Figure 1: Key Elements of FIDO Recommendations
Considered as the best mix of security and comfort, biometric identification uses verifiable biological attributes like fingerprint, face recognition, iris, or speech ID for authenticating individuals in quick and reliable ways. It involves statistical comparison of data derived from a person’s characteristics to reach a deterministic resemblance.
Public Key Cryptography
The problem of passwords being stolen or compromised in a cyberattack can be addressed by using a Public Key and Private Key pair generated at the time of service provider registration. Public key cryptography is quite reliable and provides safeguards against majority of cyberattacks. Exceptions can include state actors like the NSA.
The pivot of this approach is the authentication module in the mobile app that is developed with extra security hardening. Its security verification code is designed to run within Trusted Execution Environment (powered by ARM® TrustZone® for Android and Secure Enclave for iOS). The executable binary of the authentication module is cryptographically verified by hardware-backed keys at run time. The authentication module then uses a private key as the token of trust with the mobile backend. This key is stored in the Secure Element of the hardware and cannot be accessed by questionable apps. Note: For using TEE features on Android, an additional OEM SDK (like Samsung Knox Premium SDK) is required. For iOS, SDK Version 9 or above is sufficient. For both iOS and Android, the hardware must support TEE.
The app must undergo one-time registration with the service provider’s backend by following the steps shown below:
Information exchange becomes secure when a private key is used for authentication. Mobile apps can establish trust with a known server using the following steps for better security:
Data Storage ProtectionThe mobile app must segregate sensitive data from general data stored locally. Trusted apps can store data locally with confidence by following these steps at the time of the initial launch and setup:
The NIIT Technologies Thought Board:
Addressing Security Issues in Mobile Applications
Mobile Security: Effective Monitoring Holds the Key
The human factor makes cybercrime and data breaches a complicated issue for enterprises worldwide. Most of the prominent cyberattacks had started with phishing via an e-mail. This means that employees are the weakest point in the security cover. There is a need for higher cybersecurity awareness because an unintentional click on a suspicious email can wreak havoc on the entire organization.
Simple measures like awareness programs, cybersecurity best practices, and adoption of FIDO Alliance recommendations can help build safe and secure mobile apps, as trust on mobile has become fundamental to user acquisition and retention. With consistently effective monitoring of traffic for mobile apps, enforcing policies as per analysis of usage, and having real-time reporting and remediation methods, enterprises can create more secure mobile app usage environments. At the same time, it is important to accept that cybersecurity incidents can occur, and organizations must have their own incident response plan in order to minimize damages and recover from the situation faster.
New Compliance Requirements
In order to keep financial markets resilient to cyberattacks, regulatory bodies like CBEST (Bank of England) are prescribing cybersecurity standards for software development efforts involving the core of nation’s Financial Services Sector.
CBEST: Bank of England
CBEST is a framework for performing intelligence-led cybersecurity tests akin to a real attack based on vulnerabilities and exploits identified by approved cyberthreats intelligence providers
CFI: Hong Kong Monetary Authority
Financial institutions are hit more frequently than other industries and attacks are getting more hostile and unpredictable. For this reason, CFI provisions a structured assessment framework for intelligence-led Cyber Attack Simulation Testing for the institutions at risk. HKMA CFI’s aim is to focus on technologies such as mobile centered services.
FFIEC Cybersecurity Assessment Tool
With increasing sophistication of cyberthreats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions determine their cybersecurity maturity. The assessment is conducted in five categories:
- Technologies and connection types
- Delivery channels
- Online/mobile products and technology services
- Organizational characteristics
- External threats
About the Author
Abhinav Kumar, Senior Architect, Digital Services in NIIT technologies. He has over 17 years of experience in bringing innovation to real world applications and crafting cutting-edge solutions that create business value. A person with an eye for detail, he is busy micro-architecting solutions to make things work. He remains instrumental in designing applications using Speech Recognition, Natural Language Processing, and Machine Learning.