Mobile devices have become more popular than desktops and laptops. Not only are they easy to carry, but technological advancements have also enabled them to perform nearly similar functions as desktops do. According to Techjury.net, over the course of the last one year, mobile users have increased by over 10 percent and nearly 51 percent of the time spent by users online in the USA is on mobile devices.
Users engage in nearly all activities on mobile devices, right from watching the news to checking emails, instant messaging, purchasing items online, and doing bank transactions. Through these apps, businesses can gather usable information, such as the location, usage statistics, phone number, likes, dislikes, and other meaningful metrics about users, which can help businesses make precise decisions to improve their services. If the data in these mobile devices go in the wrong hands, it can be harmful to the user.
Thus, the need for mobile app security has become inevitable.
What is Mobile App Security?
Mobile app security is a measure to secure applications from external threats like malware and other digital frauds that risk critical personal and financial information from hackers.
Mobile app security has become equally important in today’s world. A breach in mobile security can not only give hackers access to the user’s personal life in real-time but also disclose data like their current location, banking information, personal information, and much more.
Impact of Weak Mobile App Security
Consumers are often dependent and trust organizations to test their applications for security measures before making them available to them. However, studies conducted by IBM revealed shocking facts.
The above numbers provide enough motivation for hackers to exploit security loopholes in mobile applications and hackers try to leverage any or all of the following things from unsecured codes:
Hackers gain login credentials of any website or device; for example, email, banking, social networking websites, etc. Anubis banking Trojan is a notorious example in this category, which enters the user’s device by downloading compromised apps, some of which are even hosted on the official app stores of Android. Once a device is infected, the Trojan forces it to send and receive SMSes, read contact lists, request permission to access device location, allow push notifications, and determine the IP address of the mobile connection along with access to personal files on the mobile device.
In May 2019, WhatsApp acknowledged that its app was vulnerable to spyware from an Israeli firm NSO group that could infect a mobile device simply by calling a user on WhatsApp from an unknown number.
The user’s device could be compromised even if the user did not accept the call. Once infected, the spyware could send almost all data ₋ including contact lists, GPS information, media files, etc from the device to the hacker’s server.
Hackers can gain credit and debit card numbers to make bank transactions, particularly in cases where a one-time password is not required. Researchers from Kaspersky discovered a new version of the banking Trojan called Ginp, which could steal user credentials and credit card information from a user’s device. Its ability to take control of the SMS feature of the device allows it to manipulate banking functions. Its code was found to be manipulating 24 apps of Spanish banks.
Source: Tatyana Shishkova
Hackers gain the code base of the app to illegally create their clones or simply steal the intellectual property of the company that owns the app. The more successful an app is, the more number of clones it is likely to attract on app stores. For example, Fortnite and PUBG Mobile became popular and were not available on Google Play store, but many cloning soon became available because of their high popularity, so much so that at one point Google had to warn its users that the official Fortnite was not available at Google Play.
Source: Android Authority
It is possible to access premium features of apps, especially in utility and gaming apps, which are a source of revenue for the owner of the app. In 2016, the mobile security company Bluebox revealed how hackers were able to access the premium features of popular apps Hulu and Tinder by exploiting security holes in them and causing losses to their owners. At that time, Hulu’s monthly subscriptions were selling at $7.99 a month for its OTT streaming service.
Apart from losing crucial user data, the loss can come in the form of both misuses of user information as well as lawsuits from affected parties. While the positive of undertaking security drills is that customers stay loyal and trust the brand, the negative is the loss of customers’ confidence forever. Companies should realize that at the center of their business lies the confidence of their customers in their brand. Thus, the rationale for app development should rightfully consider this aspect of the business.
Loopholes in Mobile App Security
Mobile apps are not designed to serve as anti-viruses or to transmit data securely over the internet. Rather they focus on a smooth interface and provide the best functionality to users. Similarly installing an antivirus app may secure the network and prevent attacks on a device, but it cannot provide protection against weak passwords or a poorly designed app.
Most of the common security lapses are documented by industry experts under the aegis of The Open Web Application Security Project (OWASP) for reference for developers. Its popular list OWASP Mobile Top 10 comprehensively builds on the pooled knowledge of industry experts about the present and developing attack vectors on mobile devices.
You can read a detailed article about the Top 10 mobile risks and how to secure devices and apps against them here.
Android App Security Risks
Android apps are developed in Java with an integrated development environment (IDE) like Eclipse. These Java apps can be reversed with various tools available on the internet. With Android, the bytecode can be altered and packed again in the form of APK files. Reversing Android apps can easily provide test login credentials, insights into bad design, details about the libraries and classes used. It can also provide details about the type of encryption used in the app. This can help the attacker is not only hacking one device but multiple devices using the same decryption method.
Insecure Platform Usage
Android OS and apps become vulnerable to the OWASP Mobile Top 10 risks when app developers ignore the best practices published by Google to communicate with its mobile OS, particularly through unsecured Android intents and platform permissions. For example, when the developer does not secure exported services or issues a wrong flag to an API call, their app stands exposed to hackers. Hackers tend to snoop on Android devices to receive BroadcastReceiver instances which are meant for legitimate apps. Developers tend to ignore the use of LocalBroadcastManager to send and receive messages for legitimate apps, thus creating a security lacuna.
Many Android developers do not update their apps regularly or pay heed to the OS patches issued by Android, which results in a lack of protection against newly found vulnerabilities. Updates cover the latest security patches and ignoring the same can expose applications to the latest security risks.
The Android OS lets users root their devices using third-party apps with some warning issued to them. However, not every user understands that their rooted device exposes it to manipulation from hackers and malware. For developers, it, thus, becomes essential either not to allow their app to run in a rooted environment or issue regular warnings to users.
iOS App Security Risks
Unlike Android, Apple iOS operating system strictly enforces security features and is a closed operating system. Apps cannot communicate with other apps or directly access the directories or data of other apps. iOS apps are developed in native Objective C language with tools like Xcode. It is based on the same ARM version of XNU kernel as that of OSX, which is used in Apple’s laptops and Mac computers.
Jailbreaking is a popular term used in the context of Apple devices. It involves finding an exploit in the kernel that allows users to run unsigned code on mobile devices. Jailbreaking is tethered, which means that every time a user reboots their phone, it should be connected to a laptop or run a jailbroken code. While untethered jailbreak means that the code will remain on the phone even after a reboot.
iOS offers device-level security through Face ID and Touch ID and claims that they are secure because they use a processor separate from the rest of the OS. It is called the Secure Enclave, which runs on a dedicated microkernel. However, hackers have shown that Touch ID can be compromised, most notably with a device called GrayKey, which makes brute-forcing the passcode guessing easy by doing away with the need to wait between attempts at guessing. When app developers use Touch ID systems to protect data or services within their apps, they are also exposed to this type of vulnerability.
Insecure Data Storage
Most apps store data in SQL databases, cookies, binary data stores, or even as common text. These storage locations can be accessed by hackers when the operating system, framework, or compiler is vulnerable. Also, jailbreaking devices lead to data exposure. When hackers gain access to the database, they modify the app and collect the information on their machines. Jailbroken devices expose even the most sophisticated encryption algorithms.
Security experts have also found that insecure data storage is one of the most common vulnerabilities in iOS devices, which hackers exploit to steal passwords, financial information, and personal data or users.
Common Application Risks
Lack of encryption
Encryption is a method of transporting data in ciphered code which cannot be viewed without matching it with a secret key. According to data by Symantec, nearly 13.4 percent of consumer devices and 10.5 percent of enterprise devices do not have encryption enabled, which can easily expose sensitive data as plain text. Using a high-level of data encryption ensures that the app cannot be easily cracked.
Malicious code injection
It is a general term where an attacker puts a binary file containing malicious code on a local file system in the mobile device and then executes it to gain control over the device. This can be done with the help of a malicious SMS or forcing the user to click on malicious links. This way, hackers can put malicious code even in legitimate folders or within installer files and execute it at will, thus compromising the device security. Binary planting can lead to reverse engineering as well, where attackers try to deconstruct the code of an app and gain access to the core code. Once the code is revealed, hackers can manipulate it to find the vulnerabilities and exploit it for further malicious action.
They are a type of bots that run on IRC networks created with the help of Trojans. When an infected device connects to the internet, it starts to work as a client and sends information to a server. Mobile botnets aim to gain complete control over the device and can be used to send emails and text messages, make phone calls, and access personal data, like photos and contact lists.
Source: IT Pro
Mobile App Security Best Practices
The best practices of mobile app security ensure that the app is risk-free and does not disclose the personal information of the user. It is important for the developer to ensure that all security checks are performed before the app is uploaded on an app store for public consumption. Public-facing applications that are often the sole communication bridge between customers and the organization are the primary targets of hackers. Most public-facing applications are designed keeping in mind that they have to be compatible with almost any device in the market. But, this approach makes the application vulnerable to attacks and manipulation. Developers must maintain the most stringent filter mechanisms while building a watertight application that is capable of thwarting any possible attacks.
To zero in on the specific warnings, developers can run a threat-modeling exercise. The most common risks that organizations which bank on mobile applications for conducting their business face are as follows:
- Data leaks: Applications with porous firewalls are at constant risk of being breached by miscreants who can obtain confidential data, such as payment credentials, system passwords, and PINs. Once the firewall is penetrated, malware can also be injected into the device.
- Infrastructure exposure: For communication between mobile applications and the organization’s backend services, sharing of resources, such as a third-party API, may be required. If the process of API integration is not monitored carefully, it can compromise not just the user data that lies in the device but also compromise the server-level security.
- Scams: Any mobile application developed to carry out financial transactions will always be under the radar of fraudsters. There is always some risk involved when the application utilizes sensitive data, like payment credentials, PINs, and passwords associated with apps and credit cards, etc. Miscreants, armed with various attack methods, like SMS grabbing via malware, script injection, and repackaging, are always on the prowl.
- Regulations and guidelines: All applications have to function within a legal and social framework, and breaching them can invite legal action. For example, the General Data Protection Regulation and the Revised Payment Services Directive are a few of the regulations that apply for operating in European nations, while there are several other guidelines apply in the global context.
The first thing to consider is whether the application is released on a commercial store or disseminated through the organization’s distribution channel. It is no secret that applications distributed through private carriers are less likely to face threats like reverse engineering. There are several mechanisms, like application management through UEM and stand-alone solutions, that can be employed to keep the application secure. Currently, there are three kinds of architectural options available for mobile application development: Native, hybrid, and pure web-based. All the options have their pros and cons where one has to either compromise security or performance. For example, converting an organization’s web application to a mobile application is not a tough ask, but encrypting the cached content of the application becomes a time-consuming and costly affair. If the cached content is reduced and discarded more often to boost the security front, it could adversely affect the performance of the application. These factors should be kept in mind before taking the architectural call. Another point that developers need to deliberate over is choosing device- or server-side checks. Hackers often tend to breach device security walls by tinkering with the application or device.
A jailbroken device, for instance, can make a mockery of native check mechanisms. The one-size-fits-all approach may not work in application development. Some applications might need server-side controls while for others, device check may work out better.
Native application development opens the door to all native security potentialities of the operating software platforms. They tend to work more smoothly since they rely on the API from the operating software. Both popular operating software Android and iOS have already best practices guidelines in place that developers can follow. These native environments are capable of fulfilling both basic and advanced requirements. However, in the native development process, two unique versions of the applications need to be sustained. From simple functions such as authentication and encryption to complex like device attestation and storage of credentials are supported by these native environments. While for competitive applications native route seems ideal, but for others, hybrid architectures may prove to be a more viable option. The hybrid architecture allows the usage of cross-platform frameworks like Xamarin and Flutter. Sensitive activities in hybrid applications can be carried out using native tools.
Most principles of secure software development apply to mobile applications as well. However, when it comes to mobile applications, developers have certain key areas they need to focus on to get the best results. Here are a few practices endorsed by industry experts:
Minimal Application Permissions
Permissions give applications the freedom and power to operate more effectively. But, at the same time, they make apps vulnerable to hackers’ attacks. No application should seek permission requests beyond its functional area. Developers should avoid recycling their existing libraries but build new ones that selectively seek permission.
Guarding sensitive information
Confidential data stored within the application without a proper guarding mechanism in place is prone to attacks. Miscreants can extract vital information by reverse-engineering codes. If possible, the volume of data stored on the device should be cut down to minimize the risk.
Certificate pinning is an operating procedure that helps applications defend against man-in-the-middle attacks while connected on unsecured networks. The technique, however, has its own limitations. In some cases, it may not support network detection and response tools as traffic inspection becomes a more arduous task. There are compatibility issues that can pop up as well. Certain browsers do not aid certificate pinning, making life tougher for hybrid applications to work.
Enhance Data Security
Data security policy and guidelines should be established to ensure users can easily avoid getting caught in the trap of hackers. This can include having well-implemented data encryption when the information is transferred between devices and using firewalls and security tools whenever necessary. You can refer to the guidelines laid down for Android and iOS.
Not Saving Passwords
Many apps request users to save passwords in order to prevent them from repeatedly entering the login credentials. In an event of mobile theft, these passwords can be harvested to gain access to personal information. Similarly, if the password is saved in an unencrypted format, the chances of them being harvested are very high. To prevent this from happening, developers should refrain from saving passwords on mobile devices. Instead, they should be saved on the app server, so that the affected users can change them by logging on to the server even if the mobile device is missing.
Enforce Session Logout
It is often seen that users forget to log out of the website or app they are using. If it is a banking app or any other payment app, this can be harmful. For this reason, payment apps tend to end the session of a user after a certain period of inactivity or on every logout for increased safety. Developers must enforce a session logout on all business and consumer-centric apps, even if they expect their users to be highly literate.
Consult Security Experts
No matter how experienced an internal security team is, an external point of view on the apps can give a different perspective. There are several security companies and apps which can be deployed in identifying the loopholes and reduce the chances of getting compromised. Companies should encourage their development teams to get the security features of their apps assessed by third-party service providers.
Apply Multi-Factor Authentication
Multi-Factor Authentication adds an extra layer of security when a user logs into an app. The multifactor authentication method also covers up for weak passwords which can be easily guessed by hackers and compromise the security of an app. The multifactor authentication provides a secret code that must be entered along with the password to log into a device or app. This code is either sent through SMS, email, Google Authenticator, or biometric methods. Not enforcing multi-factor authentication on the app can allow hackers to guess weak passwords.
Penetration testing is done to check known vulnerabilities in an app. It aims to find potential weaknesses that an attacker might use and compromise the security of the final application. It involves checking weak password policy, unencrypted data, permissions to third-party apps, no password expiry protocol, etc. By recreating the acts of a potential hacker, the security team determines if there is any weakness in the app. It is recommended that penetration testing is performed regularly to keep the app secure. White box testing and black box testing are other types of penetration testing measures that can be undertaken to check for security issues.
Prevent Usage of Personal Devices
To prevent the overhead cost of buying systems, many companies prefer to ask their employees to bring their own laptops or smart devices for development. This may open the network to a ton of infections that may have been gathered on an employee’s device. Malware and Trojans travel from one device to another in this manner. Hence, it is important to have a security policy in place and prevent such practices. Each device connecting to an office network should be scanned thoroughly with firewall, antivirus, and anti-spam software or should not be allowed to connect at all.
Use Third-Party Libraries with Precaution
Using third-party libraries may reduce the amount of coding done by the developer and ease the application development process. But, it can be a risky proposition. For example, the GNU C library had a security flaw that allowed buffer overflow, which hackers could exploit to remotely execute a malicious code and crash a device. It lasted for eight years before the open-source community that contributes to the GNU Project released a fix in 2016. Therefore, developers should limit the use of a number of libraries and create a policy for handling libraries in order to secure apps from attacks.
Restrict User Privileges
The more privileges a user is given the more are the chances of getting the security of an app jeopardized. If the user with a high number of privileges is hacked, hackers can do an unimaginable level of damage to the app. Similarly, an app should also not ask for privileges on a device for functions it does not require: for example, privileges to read SMS, DCIM folder, etc.
Sessions on mobile devices last much longer in comparison to desktops. This increases the server load. Using tokens instead of device identifiers to make a session is a more secure option. Tokens can be revoked whenever needed and are more secure in case of a lost or a stolen device. Developers should also consider session expiration as an option. Enabling remote wiping of data for lost and stolen devices is also a good safety option to keep in the app.
Manage Keys Securely
Key management is crucial for encryption. Hard coding keys are harmful to the app’s security and should be avoided by developers. If someone steals the key, they can easily gain control of the device. Keys should be stored in a safe container and usually not on the user’s device. Some of the popularly used cryptographic protocols for this purpose are MD5 hash and SHA1. Developers should use the latest encryption standards and APIs, such as 256-bit encryption with SHA-256 hashing.
Test Apps Periodically
Securing a mobile app is not a one-time process. New threats emerge each day and updates to patch these threats are needed before they can cause any damage to the user’s device. Breaches like the spread of ransomware WannaCry and NotPetya, which encrypted users’ Windows devices and demanded a ransom in bitcoins, in 2016 and 2017 caused enough alarm in the developer community for them to take cybersecurity seriously. Though this ransomware largely affected desktops, the swiftness and effectiveness of their spread show the need for periodic testing of apps, as new threats are always round the corner.
Ensure HTTPS Communication
It stands for Hypertext Transfer Protocol Secure and is contrasted with HTTP communication. HTTPS offers the security of data when it is transmitted over a network. The communication protocol is encrypted by Transport Layer Security (TLS). TLS and Secure Socket Layer (SSL) are cryptographic protocols that ensure data privacy over various communication channels. On the other hand, HTTP data is unencrypted, unvalidated, and unverifiable, which allows hackers to spy on user content. Developers must ensure a valid SSL certificate on the server to which the app is connected and send data between the app and the server only using the HTTPS protocol.
The cache is a software component that saves the data temporarily on the user’s device. This is used to prevent the delay of data retrieval. Hackers can easily access data stored in cache if it is not encrypted. At times the app does not remove its data after a session ends, and the cache does not expire. If these cache files get into the wrong hands, hackers can manipulate it to access user data or the server.
Apply RASP Security
It stands for runtime application self-protection, which protects an app against runtime attacks by providing more visibility into hidden vulnerabilities.
It is security software that integrates with the app or its runtime environment and constantly intercepts calls made to the app from possible attackers. The RASP layer proactively analyzes the incoming traffic and prevents fraudulent calls from executing inside the app. All incoming requests are vetted through the RASP layer sitting between the application and the server. You can check our post on RASP to know more about it.
One of the best ways to protect an app from hackers is to employ code obfuscation techniques. It is an act of creating a code that is difficult for hackers to understand. This technique has become popular and is used to conceal code from attacks. Obfuscators are used to automatically convert programming code into a format that cannot be understood by humans. Code obfuscation includes:
- Encrypting some or the entire code
- Removing metadata which may reveal information about the libraries or APIs used
- Renaming classes and variables so they cannot be guessed
Code is obfuscated to prevent data and property from hackers who may reverse-engineer code using software programs. In Apple’s iOS, this technique is not so widespread as its libraries are closed. On the other hand, Android has open-source libraries. Hence, it is essential for Android developers to obfuscate code.
Free Tools for App Security Testing
Mobile app developers should intuitively know that as their apps gather importance in the devices of users, hackers begin to get interested as well. As described above, hackers try to exploit vulnerabilities in apps or devices using the manual as well as automated tools. Therefore, it is important for developers to test their apps thoroughly before they are uploaded to app stores. Thankfully, there are multiple free tools available – commonly called application security testing or AST tools – which can help developers in ensuring foolproof security. AST tools automate the process of testing, as reviewing codes manually even against traditional threats takes time, whereas keeping a track of emerging threats introduces a different level of complexity. Therefore, developers should consider using some of the following tools for extra security and saving time:
Android Debug Bridge
As the name suggests, ADB is meant for analyzing Android apps and is offered as part of the Android SDK Platform-Tools package. It has three components, namely a client, a daemon, and a server. The client sends commands and can run on a development machine or a real mobile device and be invoked through a terminal. The daemon runs commands on the device as background processes. The server runs on the development machine and manages communication on the client. ADB allows real-time monitoring of system events on the device through USB, Wi-Fi, Bluetooth, or any of the other networking protocols. ADB gives developers the advantage of testing an app either on an emulator or a real device.
Visit the site: Android Debug Bridge
Quick Android Review Kit
QARK is an important community-supported (backed by Apache License) tool to analyze the source code or packaged APK file of an app. The developer can check security vulnerabilities in the source by running QARK analysis. A useful thing about this tool is that it allows running ADB commands for testing emulated or real devices. Unlike ADB, it does not require the device to be rooted, as its mandate is to identify vulnerabilities when the app is running in a supposedly secured environment. This Python-based tool is available on Windows, Linux, and OSX. Among other security issues, QARK identifies the following vulnerabilities:
- Inadvertently exported components
- Improperly protected exported components
- Intents which are vulnerable to interception or eavesdropping
- Improper x.509 certificate validation
- Creation of world-readable or world-writable files
- Activities which may leak data
- The use of Sticky Intents
- Insecurely created Pending Intents
- Sending of insecure Broadcast Intents
- Private keys embedded in the source
- Weak or improper cryptography use
- Potentially exploitable WebView configurations
- Exported Preference Activities
- Apps which enable backups
- Apps which are debuggable
- Apps supporting outdated API versions, with known vulnerabilities
Zed Attack Proxy
Also known as OWASP ZAP tool, it is developed and owned by The OWASP Foundation and licensed under Apache 2 License. However, it is a fork of the open-source version of Paros Proxy. Targeted at experienced security developers, it is considered one of the most popular app security tools for penetration testing. ZAP defines itself as a man-in-the-middle proxy, which listens to all the requests made to a web app and all responses received from it. Its automated scanners and other add ons allow scanning vulnerabilities automatically as well as manually. Its active scan feature allows developers to launch known attacks against selected targets. It also supports passing scanning rules, where all requests and responses are scanned in the background without slowing down the app. Its website maintains a repository of all scanning rules in the form of add-ons, which are updated periodically.
Visit the site: Zed Attack Proxy
The unique thing about Devknox is that it allows developers to check security lapses in codes as they are writing it, much like a spell-check feature in a WYSIWYG editor. Despite the popularity of this Android Studio plugin, its developer XYSEC Labs has discontinued its development and is likely to announce an open-source release. Another important feature of it is that it offers suggestions for correcting the code. Much like other static code analyzers, the developer can also scan an old code file in its entirety using this tool and get security fixes. Some of the vulnerabilities this tool checks against include: verbose logging function, DES encryption, insecure file access mode, AES CBC encryption, AES ECB encryption, RSA no padding, AES encryption alt, RSA weak key pair generator, predictable pseudo-random number generator, unencrypted socket, possible TapJacking attack, etc.
Visit the site: Devknox
ImmuniWeb Mobile App Security Test
This free online testing tool analyzes native and hybrid apps on Android and iOS platforms. Among other vulnerabilities, it tests apps about OWASP Mobile Top 10 flaws. It puts apps through the following tests:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Behavior Testing for malicious functionality and privacy
- Software Composition Analysis
- Mobile Application Outgoing Traffic
- Mobile App External Communications
It also offers a more advanced set of tools called MobileSuite for testing web services and APIs of mobile apps, but it is a paid feature.
Visit the site: ImmuniWeb
If the developer wants to test if their Android app is secure enough when it passes through Inter-Process Communication endpoints of Android while interacting with other apps or the OS, they should test it on Drozer. An important feature of Drozer is that it can implement Android public exploits on devices that the developer wants to test. It creates rogue agents by building malicious files and web pages based on known vulnerabilities. If the Drozer agent manages to install full agents on a device using the vulnerable app being tested, the developer should be alarmed and fix security flaws.
Visit the site: Drozer
Mobile Security Framework or MobSF
This is a comprehensive mobile app testing tool for pen-testing, malware analysis, and security assessment framework, which can perform both static and dynamic analysis. It can analyze Android, iOS, and Windows apps on binaries as well as source code. It can test an app against the OWASP Mobile Top 10 vulnerabilities.
Visit the site: MobSF
In the end, businesses should understand that the impact of mobile app security goes beyond user security and impacts the reputation of the brand overall. With the increasing hacking attempts and data breaches, users are aware of mobile app security issues and prefer apps which are secure over those which can confiscate their information. Hence, app developers should strive to create applications which satisfy the needs of the user and focus their efforts on the security aspect as well.