Credential Stuffing

            Credential stuffing poses a major risk to mobile banking apps and developers should take note with 4.8
            billion people projected to use mobile wallets by 2025. This attack method involves automated injection
            of breached username/password pairs to fraudulently gain access to user accounts. Attackers employ
            automation to send large numbers of properly formatted but random username/password pairs into a
            targeted system until a match to an existing account is achieved. Once a match is found, the next step
            of the breach can be executed, effectively taking over the victim’s account.



            Traditional Threats

            Malicious Reverse Enginering – Static and Dynamic


            The  very  first  layer  of  defense  in  any  mobile  app  security  strategy  should  consist  of  hardening  or
            "shielding" the app by implementing basic runtime application self-protection (RASP) measures like anti-
            tampering, anti-debugging, anti-reversing, and preventing emulators or other virtualized environments.



            Lack of Obfuscation

            Code obfuscation makes it difficult for attackers to understand an app's source code and control flows.
            Hackers  use  open  source,  freely  available  disassemblers,  decompilers  and  debuggers  to  reverse
            engineer  mobile  apps  and  understand  the  source  code.  With  this  information,  they  can  craft  more
            successful attacks.

            Even more skilled cybercriminals can use dynamic instrumentation toolkits such as Frida to attach to
            running processes, hook into applications remotely, and dynamically inject code into memory during
            runtime, allowing attackers to alter an app's behavior, functionality, logic, and state — all while the app is
            running. Plus, these tools can help them cover their tracks to remain undetected.



            Weak or Insufficient Encryption


            The next major area of concern is a general lack of sufficient data encryption in mobile apps. Most apps
            employ weak or insufficient encryption, and some ignore encryption altogether for data stored in the code.
            This often includes extremely sensitive API keys and secrets stored in the clear as strings in the app,
            which would allow for easy extraction or interception of usernames and passwords, both stored in the
            app, as well as when they traverse a network, such as when a user logs in to a mobile banking app.
            Other places where we find an abundance of unprotected data are app preferences, XML strings, and
            app resources.


            You might expect that this data would be encrypted by default. Simply put, it's not. Encrypting data can
            complicate  sharing  authentication  and  authorization  with  back-end  servers  and  other  apps,  which
            degrades the user experience if encryption breaks it. Plus, there are a dizzying number of choices to





            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          193
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.