Mobile apps are just as susceptible to risk as any other platform. In today’s connected world, a single app attack on one user’s device can put your entire organization at risk.A bug discovered in one mobile app is leaving iPhone and Mac users exposed to credential attacks and giving attackers access to online banking, Amazon, and Netflix accounts. A mobile app flaw allows an attacker to impersonate a legitimate service and even steal cryptocurrency. Cyber criminals are targeting banking and micro-lending apps by taking advantage of soft security (social control mechanisms) and using algorithms to intercept funds.
Mobile app security risks are growing. These headlines highlight privacy and data breach concerns:
- A mobile app data breach affected 150 million accounts of Under Armour's MyFitnessPal app.
- A malware injection campaign spoofed apps, including WhatsApp and Signal, to steal identities.
Although risk and concern may be growing to compete for your attention among platforms, here are five quick facts about mobile app attacks that you can use to help better your organization’s security posture.
1. We must be mindful of mobile app risk
Many flawed apps are released these days, leaving them vulnerable for exploitation. Flawed apps have become the new way to steal credentials. A study of the top 100 paid mobile apps on iOS and Android platforms showed disturbing results: 92% of iOS apps and 100% of the Android apps studied had been attacked, resulting in disabled security.
An additional study shows that the overwhelming majority of mobile apps violate the OWASP (Open Web Application Security Project) Top 10 security standards. As many as 85% of apps released have at least one known security vulnerability.
2. Mobile apps are susceptible to common risks
Insecure data storage is the most common risk found. For example, data generated by the app but stored in a different location on a device can be accessed or attacked. Nearly half of mobile apps tested show insecure communication protocols. Both situations leave users open to these man-in-the-middle attacks.
Another common issue involves failing to use HTTPS security, encryption, or best practices for ATS (Application Transport Security).
Even when security risks are remediated, app users may still be vulnerable. More than half of all smartphone users have not installed the latest version of their phone’s operating system, and even when they do service providers like Verizon, T-Mobile, and AT&T are slow to push updates to the consumer. Users running older versions of the Android OS may never receive security updates. And even if a flaw has been patched in the updated OS, the update itself will not stop attackers: the patches must be installed on the user’s device.
Cyber criminals may also “backdoor” into apps through carrier software. According to the FTC (Federal Trade Commission), many devices fail to receive security updates from carriers or receive them only intermittently.
So-called “Zero Day” attacks receive a lot of media attention, but the majority of attacks exploit known vulnerabilities and poor security practices by users.
Other Risks to Mobile App Security
- Less-than-stringent server-side controls
- Lack of binary protections
- Reverse engineering and malware injections
- Poorly designed authentication tools
- Weak algorithms for encryption and/or decryption
- Call interceptions between clients and servers using IPC (Inter-Process Communication) protocols
- Malware injections, SQL injections
- Extended times in session handling
3. Mobile apps are not easier to attack than web apps
Mobile apps are similar to web apps but written to conform to the constraints of a mobile platform. From an exploitability standpoint, they are identical.
When you use a mobile app, chances are that app interacts with other applications on your smartphone. You might authorize access to Facebook, Twitter, Instagram, or you might access your work email account as well, all on the same device. Attacking one application may unlock the keys to the kingdom. Apps, devices, APIs, network servers and network security, and third parties can be breached by exploiting mobile apps and their connections.
Train your employees to understand the risks associated with mobile apps and to use an app store wisely.
4. Pen testing can help prevent mobile app breaches
For developers, preventing breaches means proactively hardening code against reverse-engineering. Using consistent penetration testing tools during the app’s development stage can make a significant difference, as well as staying on top of industry revelations on exploits and updating apps as soon as flaws are discovered.
For organizations, pen test tools are a necessity. Employees are becoming more mobile and more organizations are practicing BYOD (Bring Your Own Device) at work. The risk is only intensifying. You may be able to protect what is downloaded on your company devices, but you don’t always know where people get third-party apps for their personal devices.
Test mobile application security by application mapping and simulating client attacks, network attacks, and server attacks. Reverse engineering, decryption, and file analysis may also be necessary.
5. Mobile Application Assessment provides peace of mind
In today’s connected world, one app that’s been attacked on one user device can put your entire organization at risk.
Like other companies in the cybersecurity industry, the RedLegg Application Assessment provides penetration testing to expose potential vulnerabilities. The assessment includes:
- Functional review
- Vulnerability analysis
- Risk analysis scoping
Secure Code Review is another way to harden your defenses.
Having these assessments performed on your mobile apps can significantly lower the risk of exposure for all your users.
Want more? Read about...
- the components of an application assessment
- mobile app pen testing tools
- on-demand webinar on app testing guidelines: OWASP Top 10 vs ASVS
Featured Image: iStock.com/Sitthiphong