Neal Michie profile picture
Neal Michie
Sep 20, 2019

It’s easy to dismiss the need for security as “something I don’t have to worry about because nothing will happen to me” or it being “too much effort to implement.” We hear both statements frequently. The trouble is that they simply aren’t true.

There are many different categories of risk for mobile apps. Here I want to focus on “vulnerabilities.” Let’s start by defining what we mean by vulnerabilities.

First, it is a bug. The accepted industry norm is for there to be between 750 and 2,500 bugs in the average mobile app.

Secondly, it is a bug that can be exploited to create a security breach without tampering or changing the app. This is an important point, as it allows an attacker to scale an attack as they can potentially exploit any install of the app with the bug.

WhatsApp

A recent example is a high profile vulnerability in WhatsApp.

The attackers discovered a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when a specially crafted series of SRTCP packets are sent to a target phone number. By voice calling a vulnerable app, it was possible to execute any code the attacker wanted on the device. Targets did not even have to answer a call, and the calls often disappeared from logs. WhatsApp quickly had to update the app to resolve the bug. 

Prevention

All indications show that WhatsApp takes testing, including security testing of their software, very seriously. That means peer review of code to ensure it is of a good standard. It also means strong QA cycles to identify functional bugs. It likely also means Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to scan for the type of vulnerability discussed above. There is no doubt these are good things to do. WhatsApp even had a comprehensive bug bounty program in place.

Despite all this, the “guaranteed vulnerability” was discovered in WhatsApp. This isn’t unique to WhatsApp. We are using them as an example, but the same risks are present in all mobile apps.

Practical Prevention

At Verimatrix we believe in “friendly security.” That means making security accessible to all app developers and making it easy to apply. This is important, as it allows them to get on with developing the next cool, ground-breaking feature.

So what practical steps can we do to stop vulnerabilities being exploited? We make it extremely difficult for vulnerabilities to be discovered in the first place. No exploit starts with the attack. It starts with a learning phase that consists of reversing engineering the app.

The best barrier to reverse engineering (and so discovering the vulnerabilities) is a technology known as Application Shielding. This technology consists of three parts:

  • Obfuscation – this makes code difficult to read;
  • Environmental checks (e.g. root detection) – this means apps only run on trusted devices;
  • Anti-tamper (integrity checks) – this stops the code being poked and prodded by an attacker.

To learn more about the risk to your mobile app, watch our presentation from Droidcon NYC, or schedule a meeting with our team at droidcon in San Francisco next week. 

To try out App Shielding for yourself, head over to protectmyapp.com. All you need is an app to protect, a work email address, and five minutes.