Cybersecurity and protecting the network reside squarely in the corporate IT spotlight, yet there’s a shadow area where it’s time to shine a light: Application security. Too often it’s the app client that’s the weakest link and becomes the entry point for hackers and malware.
The view of many IT security professionals is that if the network servers are secure, important business assets are protected. What’s often overlooked is that enterprise servers are constantly communicating with a wide variety of mobile and web applications, ranging from internal communication apps to those residing on employee’s devices (who could be using them to access the company network — without the knowledge of IT).
But apps don’t store critical information so any damage is minimal, right?
Wrong. Apps may not store critical company data, but servers do.
Hackers may be able to eventually compromise the servers by access via unsecure apps. According to our analysis at SEWORKS, 85% of the top 200 free apps on Google Play can be decompiled. Do any of your employees have mobile fitness apps on their phone? When we analyzed the top 10 fitness apps on the market, we discovered all of the apps had at least some critical and medium security vulnerabilities. Moreover, they all had a possibility of getting decompiled, which could bring subsequent hacking damages.
App security vulnerabilities
Let’s take a look at a few possible security scenarios where apps may be vulnerable.
Copycat apps. A prime asset for any software company is source code. One well-known gaming company, Supercell, expended significant resources and money developing a story line, characters, graphics and more for Clash Royale, a freemium mobile tower rush video game. The game was soft-launched in 2016 in a few countries, but within 4 weeks, a copycat app showed up. By re-engineering the source code, rogue hackers based in China were able to bypass normal development costs and time by simply bringing to market an already developed mobile game. By the time the true game developers entered the market, the copycat app already had a toehold in these markets.
Malware expulsion. A hacker compromises an app, reverse engineers the source code and inserts a type of malware that infects the corporate network. The malware could be used for DDoS attacks. Or, servers could be cryptojacked and the CPU or GPU power used to illegally mine digital currency. A company may also unknowingly distribute the malware, infecting unsuspecting customers and prospects. Unfortunately, it’s difficult to predict what damage malicious malware could do in the future, but it certainly could monitor activities, messages, phone calls, or photos.
Source code manipulation and payment fraud. If hackers manipulate the software code of a company’s payment system, from the IT security professional’s view, payments are flowing properly. In actuality, the money is flowing to the hacker’s bank account and there’s no way to get the money back.
Protecting your apps and servers
In one of the largest data breaches in the United States, Equifax said in a statement that “Equifax’s Security team observed suspicious network traffic associated with its U.S. online dispute portal web application.” Through the attack, criminals had potential access to files that contained names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license numbers.
Warning signs that apps have compromised enterprise servers may be subtle. In the Equifax breach, the security team observed suspicious network traffic. We recommend employing obfuscation and encryption of core files and libraries. Closely monitor your security status on an ongoing basis. Analyze and modify source code or binary files for protection. If an incident occurs, you must be able to take action as quickly as possible.
For any internal apps, we recommend starting with the design phase and incorporating security testing throughout the development lifecycle. Additionally, IT security professionals should also pay attention to customer feedback and online reviews. For example, if complaints crop up that a device seem to be running slow, that might be a sign that an app has been compromised.
We can’t stress enough that apps can be leveraged by hackers to access your enterprise servers and your sensitive data. It’s time to widen your cybersecurity spotlight – your business could depend upon it.
Speaking of spotlight – here’s a three year old story that hasn’t gone away, it’s only gotten worse…the flashlight apps that spy on you. Apps that are trusted, yet eavesdropping. This problem is only getting worse. The best thing you can do to create trust, is to show you are building your apps securely from the ground up and testing them frequently for exploitable holes. Customers are already nervous from stories like the flashlight apps spying to need new forms of reassurance and you can do so by incorporating security testing throughout the entire development cycle. Makes sense?
About the Author
Min Pyo Hong, CEO and founder of SEWORKS, advises corporations, NGOs, and governments on digital and cyber security issues. Min led a team of five-time finalists at the annual DEF CON conference in Las Vegas, and is a PhD candidate at Korea University in SANE-LAB Information Security. A serial entrepreneur, his previous company, SHIFTWORKS, was sold to InfraWare. Min also founded the WOWHACKER Collective, a non-profit security research group in Korea.
Min can be reached online at The SEWORKS website https://www.seworks.co/