We recently sat down with Klaus Schenk, PhD, Head of Security and Threat Research, as well as Tom Powledge, Verimatrix’s new Head of Cybersecurity Business, to discuss the uniqueness of the company’s threat insights and proactive cybersecurity solutions for mobile app developers/publishers. With nearly 50 years of experience in the cybersecurity sector between them, both Schenk and Powledge point out the ever-growing dependence on mobile devices as well as the need to properly protect mobile apps, their users, and related enterprises. 

What Tom Powledge has to say

It’s exciting to have recently joined Verimatrix, as the company addresses what I consider a very underappreciated attack surface. When you think about what enterprises need to do to keep themselves secure, especially when consumers are doing high-value transactions online, mobile app security is often overlooked as a major problem. For example, when you’re on an unprotected mobile device, there’s a risk of attacks against these apps. Consumers are being defrauded and losing money from their bank accounts. So, this is a real opportunity to address a need that I think is underserved in the marketplace.

People often have the perception that apps are inherently safer than other digital tools because app attacks are simply more specialized. Phishing attacks and ransomware are the two main topics everyone talks about. Attackers are going after particular use cases in particular market verticals like financial services and automotive. Currently, the number and visibility of attacks on mobile apps are not as high, but the severity of such attacks, in terms of actual money loss to consumers, banks, and others, is significant. And in the future, we foresee threats increasing.

Another aspect to consider is how much we’re going to rely on our phones in the future. For instance, using a cellphone as a PIN for bank accounts/ATMs or how someone gets into their house. In the future, I can envision a scenario where I walk up to an ATM, and it already authenticates me, allowing me to withdraw money simply by being in such close proximity to the ATM itself. And we’re now also conducting more and more sensitive transactions on mobile devices in general. We’re continually seeing ever-emerging technologies that enable mobile apps to change lives and improve businesses. This is a tremendous opportunity and an area that must be protected properly.

Enterprises are looking to protect themselves and their connection to their mobile apps while also wanting to be sure they’re protecting their app users. Let’s take banks in Asia, for example, in Singapore. There are situations, on Android phones in particular, where people are scammed into downloading apps on their phones not off the Google Play store. Those apps have malware; they’re trojan horses. They are obtaining credentials for people’s bank accounts, and they’re allowing attackers to access people’s bank accounts and steal money. The banks usually compensate the customers, so the banks suffer financial losses. However, imagine being a consumer who suddenly can’t access their bank account. Imagine losing $30,000. Even if you get it back, that’s a huge concern and is actually happening in the real world today. 

There’s also intellectual property theft, which hurts an enterprise. For example, if someone can reverse engineer your mobile application, they could access your algorithms or credentials. I can then get a sense of what your intellectual property is, and the other part is a data breach. Then I can perhaps get unauthorized access to your network infrastructure and extract data. This leads to potential GDPR violations and data leakage issues. So the need for mobile app protection comes from several important angles.

Verimatrix provides real-time insights into the state of your applications in the wild. Is your app under attack? We’re creating visibility in areas where it traditionally didn’t exist. Essentially, we’re offering insights about how your enterprise and/or customers are at risk in ways they weren’t before, and we’re allowing you to take adaptive action that’s right for your business. 

To illustrate, if someone’s trying to steal intellectual property, our priority is to block and stop them immediately. We want to be proactive in identifying and halting such attacks. Our applications are configurable based on what the customer needs; thus, if a customer’s main concern is stopping attackers, our solution is tailored to lock down and stop the attacker effectively. We focus on preventing attackers from stealing intellectual property. I would describe our approach as having configurable, responsive actions based on what the customer needs. For instance, if there’s an attack in a banking situation, like someone trying to take money from an account, we can detect indications of an attack through a mobile phone. The user might not be aware, but we can intervene by restricting access and requiring them to call in. These are responsive actions tailored to the customer’s needs. And this is what makes Verimatrix stand out.

What Klaus Schenk, PhD, has to say

Klaus Schenk

By developing VMX Labs, a Cyber Threat Advisory Service within Verimatrix, we’re consistently helping both our employees and prospective customers understand how criminals might attack in the future and improve their attack methods. One of VMX Labs’ contributions is analyzing attacks to anticipate future ones and mapping these insights to product development. This helps in protecting against and preventing future attacks, offering tangible benefits to enterprises that depend on us. 

Discovering new attack vectors and finding prevention methods also aids in producing insights for customers. Our customers are especially alert, so if we find a new attack vector and outline how we can prevent it, then of course, it’s helpful to all. It’s useful. Although we are not after the criminals themselves, we are on the cutting edge, or the frontier, of where cybersecurity is and where it’s going, creating a definite sense of excitement and helpfulness among our teams.  

We always welcome questions and inquiries from existing and prospective Verimatrix customers. Questions usually start with customer inquiries about specific attacks or even false positives and whether we can protect against them. We always aim to align our product features with the customer’s specific concerns and use cases, and it’s this very robust dialogue between us that helps further improve and build upon our solutions.

An example of this innovation surrounds our detection capabilities. I am really enthusiastic about our role in detection. It’s crucial for us to be at the forefront. Let’s take a banking app, for example. Banking apps would only connect to very specific banking services. Any connection that deviates from the norm warrants investigation. This approach puts Verimatrix in a unique position to detect supply chain attacks for these banks. We can identify malicious outgoing connections that others might miss. This is because, unlike generic platforms, we don’t rely solely on whitelisting. When you’re embedded in the device, you have broader monitoring capabilities. Both the research and product teams collaborate closely to tailor both protection and monitoring, offering much more than what generic platforms can provide.

We tend to attract customers in highly-regulated industries or those dealing with sensitive transactions, intellectual property, and concerns about data leakage. These are areas where security is paramount. We’re reaching a point where there’s a growing awareness about the vulnerabilities associated with mobile phones as a platform for accessing sensitive resources. From the perspective of an enterprise CISO, protecting this mobile terrain is challenging. The realization that needs to be reached is that traditional methods aren’t sufficient for this kind of problem. The solution lies in the concept of in-app protection. Essentially, you need to embed the protection within the application itself to secure these environments effectively, especially in scenarios where you don’t have control over the external terrain. That’s where Verimatrix shines.

For information on Verimatrix XTD, our mobile app protection and monitoring product, or any of our other cybersecurity solutions, click here.