A guest post by KC Karnes
Is your mobile app secure?
It shouldn’t come as a surprise that mobile apps are targeted by hackers, given the rapid adoption and increased usage globally. By some estimates, one out of every 36 mobile devices has high-risk apps installed.1
An even more sobering mobile app security statistic for businesses to hear: 71% of fraud transactions came from mobile apps and mobile browsers in the second quarter of 2018 compared to 29% on the web, up 16% year over year.
Although the number of mobile app attacks will all but certainly increase, integrating mobile app security into your strategy is essential to protecting your users and the trust you’ve established.
Cybercriminals are not lacking in creativity, they’re hacking in it (sorry, that will be the first and last pun).
From accessing the microphone, camera, and location of a user’s device, to building convincing app clones — there are many strategies hackers employ to gain access to, and exploit, personal information of unsuspecting mobile app users.
Below are some common mobile app security threats you should be aware of. It’s important to note this list is by no means exhaustive, but simply a drop in the bucket.
01. Lack of Multifactor Authentication
Most of us are guilty of using the same insecure password across multiple accounts. Now think about how many users you have. Even if a user’s password was compromised through a breach at a different company, hackers often test passwords on other apps, which can lead to an attack on your company.
Multifactor authentication, often using two of the three possible factors of authentication, does not rely solely on the user’s password before certifying the user’s identity. This additional layer of authentication can be the answer to a personal question, an SMS confirmation code to input, or biometric authentication (fingerprint, retina, etc.).
02. Failure to Encrypt Properly
Encryption is the process of transposing data into an indecipherable code that is ideallyonly viewable after it has been translated back using the secret key. In other words, encryption changes the sequence of a combination lock, but be careful, hackers are gifted at picking locks.
According to Symantec, 13.4% of consumer devices and 10.5% of enterprise devices do not have encryption enabled. This means that if hackers gain access to those devices, personal data will be available in plain text.
Unfortunately, the software companies that do use encryption are not immune to an honest mistake. Developers are human and make mistakes that hackers can exploit. When it comes to encryption, it’s important to assess how easy it could be to crack your app’s code.
This common security vulnerability can have severe consequences including intellectual property theft, code theft, privacy violations, and reputational damage, just to name a few.
03. Reverse Engineering
The nature of programming exposes many apps to the very real threat of reverse engineering.
The healthy amount of metadata provided in code meant for debugging also helps an attacker understand how an app functions.
Reverse engineering can be used to reveal how the app functions on the back-end, expose encryption algorithms, modify the source code, and more. Your own code can be used against you and pave the way for hackers.
04. Malicious Code Injection Exposure
User-generated content, like forms and comments, can often be overlooked for their potential threat to mobile app security.
Let’s use the login form as an example. When a user inputs their username and password, the application communicates with server-side data to authenticate. Apps that do not limit what characters a user can successfully input run the risk of hackers injecting code to access the server.
If a malicious user inputs a line of JavaScript into a login form that does not guard against characters like the equal sign or colon (common in JavaScript), they can easily access private information.2
05. Data Storage
Insecure data storage can happen in many places within your app: SQL databases, cookie stores, binary data stores, and more. These can be caused by vulnerabilities in the OS, frameworks, compiler, or new and jailbroken devices.
If a hacker gains access to a device or database, they can modify the legitimate app to funnel information to their machines.
Even sophisticated encryption protections are rendered useless when a device is jailbroken or rooted, which allows hackers to bypass operating system restrictions and circumvent encryption.3
Many times, insecure data storage is caused by a lack of processes to handle cache of data, images, and key presses.
On Friday we will publish the rest of this guest post.
Share
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com