The average mobile device user has 20 apps installed on their phone, and almost 25% of mobile apps include at least one high-risk security flaw. This is not just an issue for end users. It’s a major problem for app developers, whose reputation, revenue, and business are on the line every time an app is attacked.
Why are mobile app vulnerabilities so common, and what can developers do to protect their apps from becoming the entry point for the next big security breach?
Common app security pitfalls to avoid
1. Depending on platforms & outside networks for protection
Unfortunately, the most common mistake made by developers when it comes to application security is assuming someone else has taken care of it. Many developers place all their trust in the platforms their apps run on rather than investing in their own security.
Platform security only gets you so far. It won’t prevent a security breach, keep your valuable IP from being stolen, or ensure that your app isn’t analyzed by a hacker and reverse-engineered. Aside from overestimating platform security, developers also often make the mistake of depending on network security to keep hackers away from the data inside their apps.
Teaching your app the art of self-defense is always a better bet than relying on outside sources for security.
2. Meeting minimum standards rather than following best practices
Historically, it has been easier for cyber criminals to gain access to networks by attacking them directly with ransomware or gaining access through phishing attacks. As companies catch on to these malicious trends, the result has been increased spending and resource allocation on network security while leaving apps exposed and therefore vulnerable to risk.
As the world becomes more connected and companies of every size in every sector begin developing their own mobile apps, this becomes an obvious new entry point for hackers.
While “going through the motions” and adhering to minimum security requirements was once enough to ward off mobile application attacks, this is no longer the case. As criminals home in on these attractive, often unprotected targets, developers must employ security-by-design to ensure that their apps aren’t sitting ducks.
When it comes to app security, the goal is to make it difficult, time-consuming, and expensive for criminals to break in. The more time and money hackers have to spend analyzing and attacking your app, the more likely they are to move on to the next until they find an easier target.
In short, the best practice is to never settle for mediocrity when it comes to app protection. The hackers’ mindset is to look for the best return on investment, and if it’s easier for them to break in somewhere else, they will.
3. Choosing clunky, laborious app security tools
Even security-minded developers can get caught in common pitfalls because it’s difficult to balance data protection with user experience (UX). Certain security features can feel clunky and detract from a user’s ability to navigate seamlessly through your app. Consider the frustration of a forgotten password, an untimely session expiration, or constant reCAPTCHA checks.
According to “The State of Mobile Enterprise Collaboration”, published by Harmon, “ease of use” is cited as the most important quality for mobile apps by 97% of users. This means that while it’s important to protect your app, it’s also paramount to consider UX.
The best security approach is one that offers ease of use both for the end user and your internal teams. Security maintenance and updates shouldn’t disrupt your roadmap, and security features shouldn’t hinder UX. The solution is frictionless, friendly security that is powerful yet invisible.
Mobile app security best practices
The last few years have brought an onslaught of security breaches by way of mobile apps. According to Verizon’s Mobile Security Index, 1 in 3 organizations suffered a security breach due to mobile devices in 2019 alone.
As the world becomes more connected and modern business is conducted increasingly through mobile apps, security is critical. Even the most trusted industries are at risk, and every mobile device is an attack surface.
Financial institutions, healthcare organizations, manufacturers, and the entertainment industry have all benefited from the ease of use and enhanced customer satisfaction that mobility allows. However, these trusted sectors have also seen the costly revenue and reputational damage that occurs as a result of mobile app vulnerabilities and inadequate security measures.
To enhance the security of your applications, follow this guideline to protect your apps and the sensitive data they handle:
- Take a holistic approach to mobile app security
- Implement security awareness and processes
- Use strong authentication
- Employ mobile payment tokenization & secure data storage
- Protect your code and secure APIs
Take a holistic approach to mobile app security
According to Gartner’s Market Guide for In-App Protection, securing applications that run within untrusted environments is crucial as mobile, IoT, and modern web applications migrate software logic to the client side.
Conducting business, collecting consumer data, and accepting payment in an untrusted environment leaves you wide open to attack, and there are several areas that must be addressed in order to close security gaps.
Having the right security processes in place is as important as having the right tools. Security always needs to be tackled from a holistic perspective; there’s no point in locking the door but leaving the window open.
Implement security awareness and processes
Rogue employees and insider threats can cause massive damage to a company, and in many instances, these security breaches can be avoided if the right processes are in place.
In 2019, Capital One, Trend Micro, and Desjardins Group all experienced security breaches as the result of rogue employees. Preventive measures to mitigate these situations include constant monitoring, security awareness training, and severe access restrictions.
Viewing application security as merely a back-end component is a costly mistake that comes with dire consequences. The right approach is one that makes security business-as-usual by spreading responsibility across your entire organization rather than letting your reputation, revenue, and data protection fall squarely on app developers’ shoulders.
This means creating security awareness programs that keep staff vigilant and train them to look out for specific threats. A proactive approach is key to mitigating risks and avoiding the consequences of a security breach. Not to mention, proactive security measures cost much less in the long run than reactive damage control.
Use strong authentication
Some of the biggest security breaches happen as a result of weak authentication. According to Verizon’s 2019 Data Breach Investigations Report, 80% of hacking-related breaches involved compromised or weak credentials.
Requiring strong alphanumeric passwords is good, but requiring more than one personal identifier is better. Multi-factor, strong authentication requirements add a barrier to entry and make it more difficult for hackers to get into an app. However, this can also make it more difficult for genuine end-users to enjoy their experience.
The best practice when it comes to strong authentication is to make it as difficult as possible for criminals but as easy as possible for consumers. This means balancing convenience and security. Since passwords are often the weakest vulnerability and a costly driver of support calls, many organizations are opting to dissolve the risk entirely by shifting to passwordless authentication.
Employ mobile payment tokenization & secure data storage
Card-on-file systems are big databases that merchants keep in order to save their customers the frustration of having to re-enter card details during every purchase. However, these databases pose an inherent risk.
Criminals love going after these honeypots; perhaps the most notable incident was Target’s infamous security breach in 2013. Back then, the security breach was unprecedented, but over time, the Target breach proved to be the first of many that exposed massive weaknesses in data security storage.
As time has moved on, these database breaches have become commonplace. In order to secure data storage, it is now recommended to keep “tokens” rather than card numbers.
Tokenization services from the main payment card schemes store unusable tokens that are representations of customers’ cards. Tokens are pseudo-card numbers; they look and feel like card numbers, but they reduce the risk of fraud by having certain rules applied to them.
This means that tokens can only be used for a limited set of transactions (in this case, with the merchant storing them). Unlike a credit card number, if a criminal gets his hands on a token, it can’t be used for purchases. Tokenization means that even if a merchant’s servers are breached, there is no risk of exposing consumers’ card numbers.
Protect your code and secure APIs
If an app’s code is not properly hardened, hackers can decompile the application, find its weaknesses, and create an attack. Proper code protection prevents the mobile app from becoming an attack vector.
An attacker’s first order of business when it comes to hacking a mobile app is to spend time learning and understanding how an API communicates with an organization’s backend servers. Without code protection and API security, an attacker can reverse engineer a mobile app, which means they can craft their own messages to send to the backend servers. These messages are the heart of a security breach.
Code protection and secure APIs keep the entry point to backend servers secure and keep consumers’ all-important personal data safe.
Understanding the hacker’s mindset
If you understand your adversary, you are halfway to defeating them, or so the saying goes.
That’s why, at an Android developers’ conference, the excellent Droidcon San Francisco, we decided to turn things around slightly. Rather than demonstrating how soft mobile apps are to reverse engineering or diving into the technical and business risks, we wanted to get inside the mind of the hacker.
The best place to start is the hacker’s motivation, which typically falls into one of four groups:
The academic is always trying to prove a point. They aren’t after a monetary reward. Instead, they’re after the kudos of a job well done. Academic research follows three steps:
- Ask a question.
- Theorize an answer to the question.
- Experiment to prove or disprove the theory.
When it comes to user security, a typical question is, “Can I access personal data?” Given that mobile apps are generally soft, the theory is often “yes, through the mobile app.” The academic will then set out to reverse engineer the app to prove that the theory is correct.
While an academic’s motivation is not malicious, they will publish their research. This can be embarrassing for the companies that have been attacked. And it can be doubly so, as the mainstream media trusts academic research, which often makes for a credible news story.
The criminal is after a return on investment. Simply put, they are looking to make money. That means they are after an attack that can scale, and they are willing to invest their time and energy to find an attack that can scale.
The return may come through using the mobile app to commit fraud, such as in the 7-Eleven attack in Japan last year, where criminals used weaknesses in the mobile app to steal money from customer accounts.
More often, it is lifting personal data—credit cards or health data being the most valuable.
The intelligence services are always looking for new information to keep their citizens safe. As a notable attack on WhatsApp showed, getting access to the communications of people of interest is highly valuable.
Modern communication is usually encrypted. Therefore, it is often easier to go after the communication prior to it entering the encrypted channel than to try and decode the communication stream. In security terminology, this would be a man-at-the-end attack versus a man-in-the-middle attack.
With a soft mobile app, this is certainly the case. By using a vulnerability within a mobile app, it is often possible to insert a wiretap, siphoning out interesting communication before it has been encrypted, all without the user’s knowledge.
The freeloader is after something for nothing. These are the modern equivalents of high school kids who would copy a friend’s CD onto a cassette.
In the modern age of streaming video and free-to-play video games, freeloading takes on a different form. It involves hacking the mobile app to remove the ads that are funding the service or using your parent’s password to log into the streaming service.
The challenge that service providers have is that an attack isn’t limited to one user. Once an attacker has created a freeloading version of an app, they will be a “good Samaritan” and publish the app to a third-party app store, thus allowing anyone to benefit from the attack.
Once you understand the hacker’s motivation, you can start to identify the assets they will be after in your mobile app. After you’ve identified what is at risk, you can take simple, practical steps to defend against the attacker, such as using Code Protection to make your app difficult to reverse engineer, Whitebox Cryptography to securely store data within the app, or strong authentication to stop password sharing.
To learn more about the hacker’s mindset, watch our full presentation from Droidcon San Francisco.
Outsourcing app security vs building app security technologies in-house
In the past, companies have generally favored building in-house app security for a number of reasons. Prior to the availability of outsourcing and cloud-based solutions, development teams were forced to build and customize their systems in-house.
Even as app security outsourcing services became available, many companies continued to find on-premise solutions worthy. Here are the reasons why (along with their drawbacks):
Full control of sensitive data
Perhaps one of the biggest benefits of in-house app security is the ability for companies to remain in sole possession of highly regulated and sensitive data rather than entrusting it to a third party.
However, trusted security vendors often have methods to ensure that their customers remain in control of their own data. For example, a solution that offers on-premise tools enables organizations to maintain control over their application security so that no data inadvertently passes out of their environment.
If your own in-house team develops your application security technology, there is no need to negotiate with a vendor for customization. This offers full flexibility and app security that will truly meet every need.
While customization offers exactly what you want and need, this comes at a cost. If and when employees depart, customized systems may be compromised, inaccessible, or not fully understood.
Chances are, the people who know the layout and operations of your data flows are those who created the architecture in the first place. Your team intrinsically understands your network and security needs.
However, many fintech and banking companies employ a mix of in-house personnel and outsourced security experts. Your team can focus on nuanced organization-specific issues, while an outsourced team covers a plethora of other threats.
The benefits of outsourcing app security
As technology advances, the challenges of building in-house application security technologies become greater. It might be wise to consider outsourcing app security:
- Scalable: An experienced security firm can assess and understand your needs, risks, and vulnerabilities and offer a scalable solution that is built to adapt to the changing needs of your business, which include more users, more power, higher network traffic, and changes in hardware.
- Cost-effective: Save on the increasing costs of equipment, staff, and training.
- Tech-ready: Third-party security companies keep track of new types of security breaches, and they are continually immersed in cybersecurity issues and how to manage them.
- Guaranteed 24/7 support: Since security breaches often happen outside normal business hours, 24/7 monitoring and immediate response times are critical so have a 24-hour security operation center (SOC) on standby to assist.
- Easy implementation: After purchasing an outsourced cybersecurity solution, you acquire expert configuration and deployment to ensure effective system and network protection against cyber threats; a trusted third-party app security vendor relieves your team from complex security challenges in a zero-code implementation.
Outsourcing app security has proven to be a cost-effective cybercrime solution that is essential for preparing and handling unexpected events that can cost companies money, impact customers, and lead to productivity issues. A one-stop outsourced app security solution provider will include a number of comprehensive tools and a strategic, phased approach.
The value of a proven application shielding solution
In the process of selecting a credible third-party security provider like Verimatrix for your Application Shielding solution, it is important to understand what such a solution should look like.
A credible company offers multiple layers of application security through a strategic approach that is comprised of the following:
- Protects data and intellectual property: Find a security organization that supports large-scale data-sensitive industries such as finance, healthcare, and banking to protect data and intellectual property from cyberattacks.
- Meets security and compliance requirements: Ensure the security company you select is versed in security and compliance requirements and offers automated, intelligent solutions for app secrets, cryptographic keys, and to protect your brand image.
- Aligns with your app deployment timeline: Locate an app security vendor that is equipped with a toolkit that ensures enterprise-level app security, empowers development and engineering teams to safeguard apps, and aligns with your app deployment timeline.
Ensure the app security solutions you select offer trusted capabilities that:
- Require minimal code changes
- Offer code obfuscation to counteract static analysis of code using powerful control flow, arithmetic/symbol obfuscation, and string/section encryption
- Provide environmental checks that allow you to trust your code is executing where you want it to; not where attackers want it to
- Include anti-tamper technology which creates a comprehensive “check network” in order to prevent protections from being lifted from your app
- Are compatible with mobile and IoT platforms (iOS and Android, desktop and embedded Linux, Windows and MacOS)
- Provide out-of-the-box support for major development environments such as Xcode, Android Studio, and Visual Studio
- Jailbreak and root detection for compromised devices to ensure code is executing as planned
- Prevents reverse engineering by protecting code through automated checks that are designed to hinder attempts at reverse engineering
- Uses intelligent automated tools that eliminate human error in complex build processes to ensure a trustworthy app
The challenges of building in-house app security are increasing
As the world migrates to a primarily app-based environment, app security has risen to become a top-ranking challenge for enterprise companies and developers alike.
Online banking and fintech apps are some of the most vulnerable—startups and incumbent financial institutions alike are weighing the pros and cons of outsourcing app security versus building in-house technologies.
If you’re in the early stages of deciding on your approach, our eBook titled “Essential Planning Guide for Securing Financial Applications” offers resources to guide fintechs and banks through the decision-making process.