Page 193 - Cyber Defense eMagazine September 2023
P. 193
Credential Stuffing
Credential stuffing poses a major risk to mobile banking apps and developers should take note with 4.8
billion people projected to use mobile wallets by 2025. This attack method involves automated injection
of breached username/password pairs to fraudulently gain access to user accounts. Attackers employ
automation to send large numbers of properly formatted but random username/password pairs into a
targeted system until a match to an existing account is achieved. Once a match is found, the next step
of the breach can be executed, effectively taking over the victim’s account.
Traditional Threats
Malicious Reverse Enginering – Static and Dynamic
The very first layer of defense in any mobile app security strategy should consist of hardening or
"shielding" the app by implementing basic runtime application self-protection (RASP) measures like anti-
tampering, anti-debugging, anti-reversing, and preventing emulators or other virtualized environments.
Lack of Obfuscation
Code obfuscation makes it difficult for attackers to understand an app's source code and control flows.
Hackers use open source, freely available disassemblers, decompilers and debuggers to reverse
engineer mobile apps and understand the source code. With this information, they can craft more
successful attacks.
Even more skilled cybercriminals can use dynamic instrumentation toolkits such as Frida to attach to
running processes, hook into applications remotely, and dynamically inject code into memory during
runtime, allowing attackers to alter an app's behavior, functionality, logic, and state — all while the app is
running. Plus, these tools can help them cover their tracks to remain undetected.
Weak or Insufficient Encryption
The next major area of concern is a general lack of sufficient data encryption in mobile apps. Most apps
employ weak or insufficient encryption, and some ignore encryption altogether for data stored in the code.
This often includes extremely sensitive API keys and secrets stored in the clear as strings in the app,
which would allow for easy extraction or interception of usernames and passwords, both stored in the
app, as well as when they traverse a network, such as when a user logs in to a mobile banking app.
Other places where we find an abundance of unprotected data are app preferences, XML strings, and
app resources.
You might expect that this data would be encrypted by default. Simply put, it's not. Encrypting data can
complicate sharing authentication and authorization with back-end servers and other apps, which
degrades the user experience if encryption breaks it. Plus, there are a dizzying number of choices to
Cyber Defense eMagazine – September 2023 Edition 193
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.