Nearly all of us don’t even think about security when it comes to our mobile applications. We believe that security is typically embedded in the iOS or Android OS and that our application is not a high-value target for attacks. Although our mobile apps might be used for things like online banking, navigating, shopping or email, we still believe that we don’t keep any critical information on our devices.
In the early 2016, a research conducted by Hewlett Packard evaluated the security posture of more than 36,000 Android and iOS mobile apps and found that more than half of them were collecting, transmitting and storing massive quantities of data that is often not necessary to the application’s operation. For example, more than 50% of the applications accessed geo-location data, 40% of social networking apps accessed users’ contacts and around 50% of weather and games apps accessed calendar data. While the information collected from a single user might seem not valuable for a hacker, it is. Critical information exploited from one user can potentially damage the reputation and privacy not only for the user alone but for the entire enterprise.
Mobile applications:how is the game changing?
Attackers are gaining a lot of interest in mobile business, due to the growth of this industry. According to Statista, the number of mobile users worldwide by the beginning of 2017 is 4.77 billion, with an estimated increase to more than 5 billion by 2019. Hackers are going where end users are, and mobile will surely become the new field for data security to explore.
In 2016,there was a high activity on the mobile hacks and exploits. In one case, a Ukranian app which was used by artillery units defending the eastern Ukraine was hacked and compromised. In another case, there was an accusation aimed at a WhatsApp vulner ability that allowed snooping encrypted messages, thus exposing all users to a high risk. While the average enterprise might not suspect any forthcoming attack, in the world of hacking everybody can be a high-value target. In order to stay aware, any enterprise should learn from history and understand where the main vulnerabilities are.
Why mobile apps are vulnerable
In 2016, the Open Web Application Security Project “OWASP” surveyed the industry for new vulnerabilities focusing only on the application layer. The main goal of the project was to categorize mobile security risks and suggest measures to reduce the possibility of exploitation. With this information at hand, a developer can improve security when testing and deploying an application. Through data analysis and community consensus, OWASP came up with their findings and published the following top 10 categories of vulnerabilities in the mobile application landscape:
M1: Improper Platform Usage: All platforms have security&development guidelines. By misusing the features or security controls recommended by the OS, such as Android or iOS, the app can be easily exposed to risks. For example, the misuse of iOS Keychain, Android intents or TouchID.
M2: Insecure Data Storage: An app can save sensitive data on an insecure part of the deviceand can “unintentionally” disclose it. For example saving health or geo-location information on an SD card is considered a bad practice and should be avoided.
M3: Insecure Communication: The failure to protect the transmission of sensitive data (passwords, encrypted information, etc.) can affect data integrity and confidentiality.
M4: Insecure Authentication: Mobile apps need to positively identify the correct user either offline or online. The failure to maintain the user’s identity or maintaining a poor session management overall can deliver service to unidentified users. For example, the app might be using IMEI or IMSI numbers as identifiers to authenticate the user, which can be easily adopted and used by a hacker.
M5: Insufficient Cryptography: In an issue related to insufficient cryptography, the app will attempt to protect the data by applying cryptography to a sensitive data asset. The protection will probably work to some degree but with either a weak cipher, a small key or the wrong cryptographic type. Data being protected by poor cryptography will likely be exposed.
M6: Insecure Authorization: This risk is experienced when a server fails to enforce proper identity and permissions to a user. Granting access to unauthorized users, where they may be able to invoke or receive services with the credentials that don’t belong to them, puts the application at risk. An example of this can be client-based authorization decisions.
M7: Client Code Quality: This are the vulnerabilities such as buffer overflows, format string vulnerabilities, or some other code-level issues, where the solution is to re-write the app’s code that is running on the device. Executing bad code on the device allows a hacker to reverse and decompile the code so that it can be exposed. This leads to exposing business logic (secret algorithms) and security vulnerabilities in the code.
M8: Code Tampering: When an application is downloaded from the server to the mobile device for the first time, the code and data remains on the device. This gives the opportunity for a hacker to alter the code, add backdoors to the original code, change the logic, clone the app, turn it into a malicious variant and copy the software for monetary gain.
M9: Reverse Engineering: In the process of reverse engineering, a hacker can disassemble the mobile app and analyze every component in detail. If reverse engineering is successful, a hacker can enumerate and bypass business logics, ignore security controls, promote source code piracy and even allow code tampering.
M10: Extraneous Functionality: Sometimes developers add hidden back doors or modify other security levers that are very useful during the application testing phase, but that are not meant to be released to the production environment. If this extraneous functionality gets accidentally released into production, hackers could take advantage and exploit the app.
The list above categorizes the most common vulnerabilities of mobile apps and can be used as a baseline for building security into your apps. Mobile applications are becoming more common in the working environment, so it is critical that enterprises understand these security weaknesses and perform security best practices to protect their applications.
Mobile apps will keep on
Without a doubt, mobile application development will continue to dominate the technology market space in the coming years. The time spent by users on apps is outpacing the time spent on desktop or mobile web. Mobile apps can make an enterprise visible to customers all the time and increase brand recognition.
All these wonderful benefits that mobile apps provide spark the interest among consumers, enterprises, small businesses, and of course… hackers. The latter are chasing out victims and looking for new ones. For us it should not be a matter of reacting or waiting for the hacker to take the first step. As stated by Sun Tzu in the Art of War “Know thy self, know thy enemy. A thousand battles, a thousand victories.” Don’t wait to be the unfortunate victim in headlines, start today! Inform yourself, know your enemy and prevent a threat.