Mobile devices have become more popular than desktops and laptops. Not only are they easy to carry, but technological advancements have also enabled them to perform nearly similar functions as desktops do. According to Techjury.net, over the course of the last one year, mobile users have increased by over 10 percent and nearly 51 percent of the time spent by users online in the USA is on mobile devices.
Users engage in nearly all activities on mobile devices, right from watching the news to checking emails, instant messaging, purchasing items online, and doing bank transactions. Through these apps, businesses can gather usable information, such as the location, usage statistics, phone number, likes, dislikes, and other meaningful metrics about users, which can help businesses make precise decisions to improve their services. If the data in these mobile devices go in the wrong hands, it can be harmful for the user.
Thus, the need for mobile app security has become inevitable.
What is Mobile App Security?
Mobile app security is a measure to secure applications from external threats like malware and other digital frauds that risk critical personal and financial information from hackers.
Mobile app security has become equally important in today’s world. A breach in mobile security can not only give hackers access to the user’s personal life in real-time but also disclose data like their current location, banking information, personal information, and much more.
Impact of Weak Mobile App Security
According to recent surveys conducted by IBM, 33 percent of organizations never test their mobile apps. More shocking is the fact that 40 percent of the enterprises, which include the Fortune 500 companies, never protect their customers for whom they develop mobile apps. The study also finds that only 50 percent of the organizations have dedicated resources for testing mobile apps for security issues.
Driven by a variety of impulses to attack apps, hackers try to leverage any or all of the following things from unsecured codes:
Hackers gain login credentials of any website or device; for example, email, banking, social networking websites, etc. Anubis banking Trojan is a notorious example in this category, which enters the user’s device by downloading compromised apps, some of which are even hosted on the official app stores of Android. Once a device is infected, the Trojan forces it to send and receive SMSes, read contact lists, request permission to access device location, allow push notifications, and determine the IP address of the mobile connection.
Access personal data, such as name, secret security number, address, location data, pictures, or videos. In May 2019, WhatsApp acknowledged that its app was vulnerable to spyware from an Israeli firm NSO group that could infect a mobile device simply by calling a user on WhatsApp from an unknown number. The user’s device could be compromised even if the user did not accept the call. Once infected, the spyware could send almost all data ₋ including contact lists, GPS information, media files, etc from the device to the hacker’s server.
Hackers can gain credit and debit card numbers to make bank transactions, particularly in cases where a one-time password is not required. In November 2019, Trend Micro discovered a banking Trojan called Ginp, which could steal user credentials and credit card information from a user’s device. Its ability to take control of the SMS feature of the device allows it to manipulate banking functions. Its code was found to be manipulating 24 apps of Spanish banks.
Hackers gain code base of the app to illegally create its clones or simply steal the intellectual property of the company that owns the app. The more successful an app is the more number of clones it is likely to attract on app stores. For example, Fortnite and PUBG Mobile became popular and were not available on Google Play store, but many cloning soon became available because of their high popularity, so much so that at one point Google had to warn its users that the official Fortnite was not available at Google Play.
It is possible to access premium features of apps, especially in utility and gaming apps, which are a source of revenue for the owner of the app. In 2016, the mobile security company Bluebox revealed how hackers were able to access the premium features of popular apps Hulu and Tinder by exploiting security holes in them and causing losses to their owners. At that time, Hulu’s monthly subscriptions were selling at $7.99 a month for its OTT streaming service.
Apart from losing crucial user data, the loss can come in the form of both misuses of user information as well as lawsuits from affected parties. While the positive of undertaking security drills is that customers stay loyal and trust the brand, the negative is the loss of customers’ confidence forever. Companies should realize that at the center of their business lies the confidence of their customers in their brand. Thus, the rationale for app development should rightfully consider this aspect of the business.
Loopholes in Mobile App Security
Exploitation through apps has become a common way for hackers to illegally access insecure devices. Mobile apps are not designed to serve as anti-viruses or to transmit data securely over the internet. Rather they focus on a smooth interface and provide the best functionality to users. Similarly installing an antivirus app may secure the network and prevent attacks on a device, but it cannot provide protection against weak passwords or a poorly designed app.
Risks may arrive in mobile devices from any layer, like the network layer, where data can be intercepted over Wi-Fi or GSM if it is not encrypted. In the hardware layer, memory corruption defects can expose sensitive data. Similarly, operating system weaknesses in kernels and jailbreaks are used to exploit devices.
Most of these security lapses are documented by industry experts under the aegis of The Open Web Application Security Project (OWASP) for reference for developers. Its popular list OWASP Mobile Top 10 comprehensively builds on the pooled knowledge of industry experts about the present and developing attack vectors on mobile devices. You can read a detailed article about the Top 10 mobile risks and how to secure devices and apps against them here.
Android App Security Risks
Android apps are developed in Java with an integrated development environment (IDE) like Eclipse. These Java apps can be reversed with various tools available on the internet. With Android, the bytecode can be altered and packed again in the form of APK files. Reversing Android apps can easily provide test login credentials, insights into bad design, details about the libraries and classes used. It can also provide details about the type of encryption used in the app. This can help the attacker is not only hacking one device but multiple devices using the same decryption method.
Insecure Platform Usage
Android OS and apps become vulnerable to the OWASP Mobile Top 10 risks when app developers ignore the best practices published by Google to communicate with its mobile OS, particularly through unsecured Android intents and platform permissions. For example, when the developer does not secure exported services or issues a wrong flag to an API call, their app stands exposed to hackers. Hackers tend to snoop on Android devices to receive BroadcastReceiver instances which are meant for legitimate apps. Developers tend to ignore the use of LocalBroadcastManager to send and receive messages for legitimate apps, thus creating security lacunae.
Many Android developers do not update their apps regularly or pay heed to the OS patches issued by Android, which results in a lack of protection against newly found vulnerabilities. Updates cover the latest security patches and ignoring the same can expose applications to the latest security risks.
The Android OS lets users root their devices using third-party apps with some warning issued to them. However, not every user understands that their rooted device exposes it to manipulation from hackers and malware. For developers, it, thus, becomes essential either not to allow their app to run in a rooted environment or issue regular warnings to users.
iOS App Security Risks
Unlike Android, Apple iOS operating system strictly enforces security features and is a closed operating system. Apps cannot communicate with other apps or directly access the directories or data of other apps. iOS apps are developed in native Objective C language with tools like Xcode. It is based on the same ARM version of XNU kernel as that of OSX, which is used in Apple’s laptops and Mac computers.
Jailbreaking is a popular term used in the context of Apple devices. It involves finding an exploit in the kernel that allows users to run unsigned code on mobile devices. Jailbreaking is tethered, which means that every time a user reboots their phone, it should be connected to a laptop or run a jailbroken code. While untethered jailbreak means that the code will remain on the phone even after a reboot.
iOS offers device-level security through Face ID and Touch ID and claims that they are secure because they use a processor separate from the rest of the OS. It is called the Secure Enclave, which runs on a dedicated microkernel. However, hackers have shown that Touch ID can be compromised, most notably with a device called GrayKey, which makes brute-forcing the passcode guessing easy by doing away with the need to wait between attempts at guessing. When app developers use the Touch ID system to protect data or services within their apps, they are also exposed to this type of vulnerability.
Insecure Data Storage
Most apps store data in SQL databases, cookies, binary data stores, or even as common text. These storage locations can be accessed by hackers when the operating system, framework, or compiler is vulnerable. Also, jailbreaking devices lead to data exposure. When hackers gain access to the database, they modify the app and collect the information on their machines. Jailbroken devices expose even the most sophisticated encryption algorithms.
Security experts have also found that insecure data storage is one of the most common vulnerabilities in iOS devices, which hackers exploit to steal passwords, financial information, and personal data or users.
Common Application Risks
Lack of encryption
Encryption is a method of transporting data in ciphered code which cannot be viewed without matching it with a secret key. According to data by Symantec, nearly 13.4 percent of consumer devices and 10.5 percent of enterprise devices do not have encryption enabled, which can easily expose sensitive data as plain text. Using high-level data encryption ensures that the app cannot be easily cracked.
Possibility for reverse engineering
If a hacker gets their hands on the code of an app, they can easily cause a threat to users. The amount of metadata provided in code for debugging helps attackers to understand the apps working and reverse engineer it to reveal how the app works at the level of programing language. Hackers can then expose the encryption algorithms and modify the code at their will.
Malicious code injection
It is a general term where an attacker puts a binary file containing malicious code on a local file system in the mobile device and then executes it to gain control over the device. This can be done with the help of a malicious SMS or forcing the user to click on malicious links. This way, hackers can put malicious code even in legitimate folders or within installer files and execute it at will, thus compromising the device security. Binary planting can lead to reverse engineering as well, where attackers try to deconstruct the code of an app and gain access to the core code. Once the code is revealed, hackers can manipulate it to find the vulnerabilities and exploit it for further malicious action.
They are a type of bots that run on IRC networks created with the help of Trojans. When an infected device connects to the internet, it starts to work as a client and sends information to a server. Mobile botnets aim to gain complete control over the device and can be used to send emails and text messages, make phone calls, and access personal data, like photos and contact lists.
Mobile App Security Best Practices
The best practices of mobile app security ensure that the app is risk-free and does not disclose the personal information of the user. It is important for the developer to ensure that all security checks are performed before the app is uploaded on an app store for public consumption. The developer should consider the following methods to ensure that their consumer and business apps are not prone to unauthorized access by unscrupulous elements.
Enhance Data Security
Data security policy and guidelines should be established to ensure the users can easily avoid getting caught in the trap of hackers. This can include having well-implemented data encryption when the information is transferred between devices and using firewalls and security tools whenever necessary.
Not Saving Passwords
Many apps request users to save the password in order to prevent them from repeatedly entering the login credentials. This is an unsafe practice. In an event of mobile theft, these passwords can be harvested to gain access to personal information. Similarly, if the password is saved in an unencrypted format, the chances of them being harvested are very high. To prevent this from happening, developers should refrain from saving passwords on mobile devices. Instead, they should be saved on the app server, so that the affected users can change them by logging on to the server even if the mobile device is missing.
Enforce Session Logout
It is often seen that users forget to log out of the website or app they are using. If it is a banking app or any other payment app, this can be harmful. For this reason, payment apps tend to end the session of a user after a certain period of inactivity or on every logout for increased safety. Developers must enforce a session logout on all business and consumer-centric apps, even if they expect their users to be highly literate.
Use Security Services
No matter how experienced an internal security team is, an external point of view on the apps can give a different perspective. There are several security companies and apps which can be deployed in identifying the loopholes and reduce the chances of getting compromised. Companies should encourage their development teams to get the security features of their apps assessed by third-party service providers.
Apply Multi-Factor Authentication
Multi-Factor Authentication adds an extra layer of security when a user logs into an app. The multifactor authentication method also covers up for weak passwords which can be easily guessed by hackers and compromise the security of an app. The multifactor authentication provides a secret code that must be entered along with the password to log into a device or app. This code is either sent through SMS, email, Google Authenticator or biometric methods. Not enforcing multi-factor authentication on the app can allow hackers to guess weak passwords.
Penetration testing is done to check known vulnerabilities in an app. It aims to find potential weaknesses that an attacker might use and compromise the security of the final application. It involves checking weak password policy, unencrypted data, permissions to third-party apps, no password expiry protocol, etc. By recreating the acts of a potential hacker, the security team determines if there is any weakness in the app. It is recommended that penetration testing is performed regularly to keep the app secure. White box testing and black box testing are other types of penetration testing measures that can be undertaken to check for security issues.
Prevent Usage of Personal Devices
To prevent the overhead cost of buying systems, many companies prefer to ask their employees to bring their own laptops or smart devices for development. This may open the network to a ton of infections that may have been gathered on an employee’s device. Malware and Trojans travel from one device to another in this manner. Hence, it is important to have a security policy in place and prevent such practices. Each device connecting to an office network should be scanned thoroughly with firewall, antivirus, and anti-spam software or should not be allowed to connect at all.
Use Third-Party Libraries with Precaution
Using third-party libraries may reduce the amount of coding done by the developer and ease the application development process. But, it can be a risky proposition. For example, the GNU C library had a security flaw that allowed buffer overflow, which hackers could exploit to remotely execute a malicious code and crash a device. It lasted for eight years before the open-source community that contributes to the GNU Project released a fix in 2016*. Therefore, developers should limit the use of the number of libraries and create a policy for handling libraries in order to secure apps from attacks.
Restrict User Privileges
The more privileges a user is given the more are the chances of getting the security of an app jeopardized. If the user with a high number of privileges is hacked, hackers can do an unimaginable level of damage to the app. Similarly, an app should also not ask for privileges on a device for functions it does not require: for example, privileges to read SMS, DCIM folder, etc.
Sessions on mobile devices last much longer in comparison to desktops. This increases the server load. Using tokens instead of device identifiers to make a session is a more secure option. Tokens can be revoked whenever needed and are more secure in case of a lost or a stolen device. Developers should also consider session expiration as an option. Enabling remote wiping of data for lost and stolen devices is also a good safety option to keep in the app.
Manage Keys Securely
Key management is crucial for encryption. Hard coding keys are harmful to the app’s security and should be avoided by developers. If someone steals the key, they can easily gain control of the device. Keys should be stored in a safe container and usually not on the user’s device. Some of the popularly used cryptographic protocols for this purpose are MD5 hash and SHA1. Developers should use the latest encryption standards and APIs, such as 256-bit encryption with SHA-256 hashing.
Test Apps Periodically
Securing a mobile app is not a one-time process. New threats emerge each day and updates to patch these threats are needed before they can cause any damage to the user’s device. Breaches like the spread of ransomware WannaCry and NotPetya, which encrypted users’ Windows devices and demanded a ransom in bitcoins, in 2016 and 2017 caused enough alarm in the developer community for them to take cybersecurity seriously. Though this ransomware largely affected desktops, the swiftness and effectiveness of their spread show the need for periodic testing of apps, as new threats are always round the corner.
Ensure HTTPS Communication
It stands for Hypertext Transfer Protocol Secure and is contrasted with HTTP communication. HTTPS offers the security of data when it is transmitted over a network. The communication protocol is encrypted by Transport Layer Security (TLS). TLS and Secure Socket Layer (SSL) are cryptographic protocols that ensure data privacy over various communication channels. On the other hand, HTTP data is unencrypted, unvalidated, and unverifiable, which allows hackers to spy on user content. Developers must ensure a valid SSL certificate on the server to which the app is connected and send data between the app and the server only using the HTTPS protocol.
The cache is a software component that saves the data temporarily on the user’s device. This is used to prevent the delay of data retrieval. Hackers can easily access data stored in cache if it is not encrypted. At times the app does not remove its data after a session ends, and the cache does not expire. If these cache files get into the wrong hands, hackers can manipulate it to access user data or the server.
Apply RASP Security
It stands for runtime application self-protection, which protects an app against runtime attacks by providing more visibility into hidden vulnerabilities. It is security software that integrates with the app or its runtime environment and constantly intercepts calls made to the app from possible attackers. The RASP layer proactively analyzes the incoming traffic and prevents fraudulent calls from executing inside the app. All incoming requests are vetted through the RASP layer sitting between the application and the server. You can check our post on RASP to know more about it.
One of the best ways to protect an app from hackers is to employ code obfuscation techniques. It is an act of creating a code that is difficult for hackers to understand. This technique has become popular and is used to conceal code from attacks. Obfuscators are used to automatically convert programming code into a format that cannot be understood by humans. Code obfuscation includes:
- Encrypting some or the entire code
- Removing metadata which may reveal information about the libraries or APIs used
- Renaming classes and variables so they cannot be guessed
Code is obfuscated to prevent data and property from hackers who may reverse-engineer code using software programs. In Apple’s iOS, this technique is not so widespread as its libraries are closed. On the other hand, Android has open-source libraries. Hence, it is essential for Android developers to obfuscate code.
Free Tools for App Security Testing
Mobile app developers should intuitively know that as their apps gather importance in the devices of users, hackers begin to get interested as well. As described above, hackers try to exploit vulnerabilities in apps or devices using the manual as well as automated tools. Therefore, it is important for developers to test their apps thoroughly before they are uploaded to app stores. Thankfully, there are multiple free tools available – commonly called application security testing or AST tools – which can help developers in ensuring foolproof security. AST tools automate the process of testing, as reviewing codes manually even against traditional threats takes time, whereas keeping a track of emerging threats introduces a different level of complexity. Therefore, developers should consider using some of the following tools for extra security and saving time:
Android Debug Bridge
As the name suggests, ADB is meant for analyzing Android apps and is offered as part of the Android SDK Platform-Tools package. It has three components, namely a client, a daemon, and a server. The client sends commands and can run on a development machine or a real mobile device and be invoked through a terminal. The daemon runs commands on the device as background processes. The server runs on the development machine and manages communication on the client. ADB allows real-time monitoring of system events on the device through USB, Wi-Fi, Bluetooth, or any of the other networking protocols. ADB gives developers the advantage of testing an app either on an emulator or a real device.
Quick Android Review Kit
QARK is an important community-supported (backed by Apache License) tool to analyze the source code or packaged APK file of an app. The developer can check security vulnerabilities in the source by running QARK analysis. A useful thing about this tool is that it allows running ADB commands for testing emulated or real devices. Unlike ADB, it does not require the device to be rooted, as its mandate is to identify vulnerabilities when the app is running in a supposedly secured environment. This Python-based tool is available on Windows, Linux, and OSX. Among other security issues, QARK identifies the following vulnerabilities:
- Inadvertently exported components
- Improperly protected exported components
- Intents which are vulnerable to interception or eavesdropping
- Improper x.509 certificate validation
- Creation of world-readable or world-writable files
- Activities which may leak data
- The use of Sticky Intents
- Insecurely created Pending Intents
- Sending of insecure Broadcast Intents
- Private keys embedded in the source
- Weak or improper cryptography use
- Potentially exploitable WebView configurations
- Exported Preference Activities
- Apps which enable backups
- Apps which are debuggable
- Apps supporting outdated API versions, with known vulnerabilities
Zed Attack Proxy
Also known as OWASP ZAP tool, it is developed and owned by The OWASP Foundation and licensed under Apache 2 License. However, it is a fork of the open-source version of the Paros Proxy. Targeted at experienced security developers, it is considered one of the most popular app security tools for penetration testing. ZAP defines itself as a man-in-the-middle proxy, which listens to all the requests made to a web app and all responses received from it. Its automated scanners and other add ons allow scanning vulnerabilities automatically as well as manually. Its active scan feature allows developers to launch known attacks against selected targets. It also supports passing scanning rules, where all requests and responses are scanned in the background without slowing down the app. Its website maintains a repository of all scanning rules in the form of add-ons, which are updated periodically.
The unique thing about Devknox is that it allows developers to check security lapses in codes as they are writing it, much like a spell-check feature in a WYSIWYG editor. Despite the popularity of this Android Studio plugin, its developer XYSEC Labs has discontinued its development and is likely to announce an open-source release. Another important feature of it is that it offers suggestions for correcting the code. Much like other static code analyzers, the developer can also scan an old code file in its entirety using this tool and get security fixes. Some of the vulnerabilities this tool checks against include: verbose logging function, DES encryption, insecure file access mode, AES CBC encryption, AES ECB encryption, RSA no padding, AES encryption alt, RSA weak key pair generator, predictable pseudo-random number generator, unencrypted socket, possible TapJacking attack, etc.
ImmuniWeb Mobile App Security Test
This free online testing tool analyzes native and hybrid apps on Android and iOS platforms. Among other vulnerabilities, it tests apps about OWASP Mobile Top 10 flaws. It puts apps through the following tests:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Behavior Testing for malicious functionality and privacy
- Software Composition Analysis
- Mobile Application Outgoing Traffic
- Mobile App External Communications
It also offers a more advanced set of tools called MobileSuite for testing web services and APIs of mobile apps, but it is a paid feature.
If the developer wants to test if their Android app is secure enough when it passes through Inter-Process Communication endpoints of Android while interacting with other apps or the OS, they should test it on Drozer. An important feature of Drozer is that it can implement Android public exploits on devices that the developer wants to test. It creates rogue agents by building malicious files and web pages based on known vulnerabilities. If the Drozer agent manages to install full agents on a device using the vulnerable app being tested, the developer should be alarmed and fix security flaws.
Mobile Security Framework or MobSF
This is a comprehensive mobile app testing tool for pen-testing, malware analysis, and security assessment framework, which can perform both static and dynamic analysis. It can analyze Android, iOS, and Windows apps on binaries as well as source code. It can test an app against the OWASP Mobile Top 10 vulnerabilities.
In the end, businesses should understand that the impact of mobile app security goes beyond user security and impacts the reputation of the brand overall. With the increasing hacking attempts and data breaches, users are aware of mobile app security issues and prefer apps that are secure over those which can confiscate their information. Hence, app developers should strive to create applications that satisfy the needs of the user and focus their efforts on the security aspect as well.