By Alan Bavosa, VP of Security Products, Appdome
In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life’s pleasures such as shopping, sports, and gaming. In fact, a recent study titled “United States Consumer Expectations of Mobile App Security,” revealed a significant shift, with approximately two-thirds of Americans now preferring the use of mobile apps over more traditional web channels, ushering in a new dominant channel for brands to connect with consumers.
With the popularity of mobile apps reaching new heights, the responsibility to protect mobile users against diverse security threats has become paramount as the attack landscape shifts focus to where most consumers are – mobile apps. And it’s evident that consumers expect and demand protection when using mobile apps, and they are not willing to compromise. For example, when asked to rank the priority of security vs features, an overwhelming majority of U.S. consumers, say that security is equal to or higher in importance than features.
Not only is the level of protection that consumers expect in mobile apps is also on the rise. For example, when consumers were asked what type of protection, they expect mobile brands to provide when using their app, 72.7% of U.S. consumers said that they expect either “the best protections” available, or protection of the login and data, as well as protection against malware. Taken together this clearly underscores the pressing need for mobile app developers to deliver enhanced protection in their mobile applications.
To help mobile developers and cyber-security teams wrap their heads around what this means, this article will illustrate both the new and emerging threats mobile apps face, along with the “tried and true” threats and attack methods that hackers have been using for years. Combined, this will give mobile developers a blueprint that will enable them to craft a strategy that addresses these threats head on and deliver the protections that their mobile customers demand.
Emerging Threats:
Accessibility Service Malware
In recent years, there has been an emergence of malware specifically created to exploit the Android Accessibility Service framework which allows bad actors to gain unauthorized access to in-app events, steal personally identifiable information (PII), perform or even hijack transactions and evade detection. Notable examples include FluBot, Teabot, PixPirate, Brasdex and Xenomorph. Mobile banking apps often fall prey to these attacks, which monitor Accessibility Service events and user activity to harvest transactions, PII, and other valuable data.
Screen Overlay Attacks
A screen overlay attack is another tactic used by cybercriminals that has become more prominent. In this technique, part of the app screen is covered by a fake and malicious screen that the user is tricked into clicking on or interacting with to commit mobile fraud. Victims of this attack think they are interacting with a legitimate app or service, but they are actually interacting with the overlay screen controlled by the attacker which can put PII, transactions and other sensitive data at risk. A classic example of this type of attack is the Cloak & Dagger, with more recent variants including Strandhogg and others.
Credential Stuffing
Credential stuffing poses a major risk to mobile banking apps and developers should take note with 4.8 billion people projected to use mobile wallets by 2025. This attack method involves automated injection of breached username/password pairs to fraudulently gain access to user accounts. Attackers employ automation to send large numbers of properly formatted but random username/password pairs into a targeted system until a match to an existing account is achieved. Once a match is found, the next step of the breach can be executed, effectively taking over the victim’s account.
Traditional Threats
Malicious Reverse Enginering – Static and Dynamic
The very first layer of defense in any mobile app security strategy should consist of hardening or “shielding” the app by implementing basic runtime application self-protection (RASP) measures like anti-tampering, anti-debugging, anti-reversing, and preventing emulators or other virtualized environments.
Lack of Obfuscation
Code obfuscation makes it difficult for attackers to understand an app’s source code and control flows. Hackers use open source, freely available disassemblers, decompilers and debuggers to reverse engineer mobile apps and understand the source code. With this information, they can craft more successful attacks.
Even more skilled cybercriminals can use dynamic instrumentation toolkits such as Frida to attach to running processes, hook into applications remotely, and dynamically inject code into memory during runtime, allowing attackers to alter an app’s behavior, functionality, logic, and state — all while the app is running. Plus, these tools can help them cover their tracks to remain undetected.
Weak or Insufficient Encryption
The next major area of concern is a general lack of sufficient data encryption in mobile apps. Most apps employ weak or insufficient encryption, and some ignore encryption altogether for data stored in the code. This often includes extremely sensitive API keys and secrets stored in the clear as strings in the app, which would allow for easy extraction or interception of usernames and passwords, both stored in the app, as well as when they traverse a network, such as when a user logs in to a mobile banking app. Other places where we find an abundance of unprotected data are app preferences, XML strings, and app resources.
You might expect that this data would be encrypted by default. Simply put, it’s not. Encrypting data can complicate sharing authentication and authorization with back-end servers and other apps, which degrades the user experience if encryption breaks it. Plus, there are a dizzying number of choices to make in terms of key size/strength, key derivation technique, cipher strength, and encryption algorithms. Every one of these choices can have a dramatic effect on performance and security if it is wrong.
As a result, in the name of releasing apps quickly and delivering a smooth user experience, these critical areas of mobile app security are often given short shrift. The consequences, though, can be dire. These security deficiencies enable hackers to take over accounts, compromise financial transactions, conduct screen overlay and man-in-the-middle attacks, inject code remotely, and create Trojans that look and feel like the real thing.
Man-in-the-Middle Attacks
Man-in-the-Middle Attacks (MitM) often target mobile apps belonging to the service, finance, and retail industries. Hackers place themselves in between the mobile user and the remote service or server that the user is trying to reach. These two trusted parties believe they are conversing with one another but are communicating with the hacker. This attack allows bad actors to gain unauthorized access to passwords, credit card, contact, and loyalty account information.
Combating Attacks
To secure mobile apps from the above-mentioned threats, implementing a multi-layered security model is crucial. Having a multi-faceted security approach that is both proactive and reactive can, not only prevent attacks, but quickly detect and remediate the threat before harm is done. Organizations should pivot towards embedding security at the very start of the development lifecycle. Leveraging no-code tools empowers them to do just this by better operationalizing mobile app security in the CI/CD pipeline and taking an engineering approach to DevSecOps. By doing this, developers can leverage tools that provide mobile development and cyber teams with comprehensive, automated systems to build, test, release and monitor security defenses and protections directly into iOS and Android apps during the app development process.
As mobile apps continue to be the apple of U.S. consumers’ eye, serving as a gateway to brand relationships, Americans have a growing appetite for advanced protection from malware, hacking, fraud, and other destructive cyber actions.
Not only do consumers value security as much or more than new features, 51.2% want the best protection possible. To achieve this, developers and cybersecurity professionals need to work together with a mobile-first mindset to ease any concerns Americans may have with their mobile apps.
Security is materializing as the next driving force for mobile app adoption, serving as a pillar for a successful transition into the mobile realm. Those businesses that ignore this will not only do a disservice to their customers but will be left behind as it evolves into a fierce battleground among companies in all industries. Embracing security as a fundamental element is not just a necessity, but a strategic imperative to thrive in the enter-evolving landscape of mobile technology.
About the Author
Alan Bavosa is the VP of Security Products at Appdome, the leading pioneer in no-code, automated mobile app defense. He is passionate about helping mobile developers build secure mobile apps rapidly as part of the DevOps CI/CD pipeline. Prior to Appdome, Alan held numerous executive and entrepreneurial roles at leading cybersecurity firms including ArcSight, NetScreen, and Palerra as well their respective acquirers HP, Juniper, and Oracle. Alan can be reached online on LinkedIn, Twitter, and at our company website https://www.appdome.com.