Guest Post – Mobile App Security Threats and Secure Best Practices Part 2

A guest post by KC Karnes

Mobile App Security Exploit Examples: Painful Real-life Lessons

The climate around mobile app security is heating up.

Mobile app vulnerabilities are exploited every day, resulting in expensive data breaches and loss of public trust.

In this section, we will try to learn from the failures of other companies and highlight how real the threats outlined above can be.

Timehop Fails To Trust Two-Factor Authentication

Starting in December of 2017, TimeHop was the victim of an attack that was not uncovered until July 4, 2018. Because TimeHop failed to use multifactor authentication, an employee’s credentials were used to log in to their cloud computing environment from an IP address in the Netherlands.4

The unauthorized user began conducting reconnaissance research into available information and continued to check back in over the ensuing seven month period. Finally, on June 22, 2018, the hacker discovered personally identifiable information on a database.

Internal alerts on July 4 signaled a dramatic spike in database read requests and users reported black screens as their apps crashed.

This mobile security threat resulted in the privacy breach of 21 million users. This might not have occurred if a multi-factor authentication process had been in place to deny the hacker’s login credentials.

Fortnite Fakes From Reverse Engineering

When Fortnite launched their beta in August 2018, the invitation-only environment brought a surge in fraudulent links to download fake app clones with malicious intent.

These fake Fortnite apps were reverse engineered to look very convincing. They included the same loading screens, images, and music as the real app.

This genre of malware, known as FakeApp, was used to generate ad revenue, redirect to other apps, send SMS messages, and even download hidden apps.

The second half of 2018 saw a rapid increase in FakeApp detections of this sort, peaking in December with nearly 65,000 FakeApp detections.5

Mobile App Security Best Practices: How to Safeguard Your Mobile

Unfortunately, mobile app security is a problem that we continue to face.

The tools used to develop the top tier mobile apps, by their very nature, are the same tools used to exploit their vulnerabilities.

Despite the constant struggle to keep hackers at bay, there are some common threads of security best practices that protect some of the largest mobile companies around the globe.

01. Use Server-Side Authentication

Ideally, multi-factor authentication requests are granted on the server side and only available once authorization is successful. If your app requires data to be stored on the client side and available on the device, ensure the encrypted data can only be accessed once the credentials are successfully validated.

If you use persistent authentication – or a “remember me” functionality – be mindful not to store password data on the device and create different authentication tokens for different devices.

02. Use Cryptographic Algorithms and Key Management Best Practices

One strategy to fend off encryption-related breaches is to avoid storing sensitive information on a mobile device. This includes hard-coded keys and passwords that could be made available in plain text or used by an attacker to gain access to the server.

iOS has protection in place to, in theory, stop reverse engineering through code encryption. It’s worth noting however that this is not a perfect solution and you should always assume attackers can decrypt information on the client side.

The most powerful encryption algorithm in the world will not prevent an attack if poor key management strategies are implemented. If your app is not protected against binary attacks, for example, keys could be intercepted when authentication responses are traveling from the server.

Never use algorithms that have been deprecated, or disapproved by the security community, and, unless you are an expert in security, do not try to create your own encryption protocols.6

03. Validate That All User Inputs Meet Sanity Check Standards  

Hackers are opportunistic when testing your input validation. They scour your site for anypotential for the acceptance of malformed data.

Input validation is a strategy to ensure only data that is expected can be passed through an input field. When uploading an image, for example, the file should have an extension that matches standard image file extensions and should be reasonably sized.

If your image input validation does not have parameters prohibiting unreasonable pixel counts or file sizes, a hacker could upload a malicious file claiming to be an image.

All input fields including form fields, audio, video, and command line inputs, among others, are susceptible to this vulnerability. This exploit was responsible for the first jailbroken iPhone.7

04. Build Threat Models To Defend Data

Threat modeling is a method used to deeply understand the problem that is being solved, where issues may exist, and strategies to defend against them.

A well-informed threat model insists the team understand how different operating systems, platforms, frameworks, and external APIs transfer and store their data. Building on top of frameworks and connecting with third-party APIs can expose you to their inefficiencies as well.8

05. Obfuscate To Prevent Reverse Engineering

You may be asking how can you possibly prevent reverse engineering?

In many cases, developers have the necessary skills and tools to build convincing replicas of a mobile app’s UI without gaining access to the source code. Proprietary business logic, on the other hand, requires much more thought and effort.

Commercial-grade obfuscation tools are available to make the business logic less readable and difficult to understand.

Developers use indentation to make their code more readable to humans, although the computer does not care about proper formatting. This is why minification, which removes all spaces, maintains functionality but makes it more difficult for hackers to understand the code.

Mobile App Security Testing and More

We’ve covered some of the most common mobile app security threats and best practices to defend against them, but this is by no means a complete list.

We didn’t even cover penetration testing, similar to ethical hacking, in which you attempt to find a vulnerability to exploit as a hacker would. While it’s best to start thinking about security from the beginning, it will likely be a concern throughout the life of your company.

Building a secure mobile app requires collaboration between developers, security experts, marketers, and C-level executives. Security protocols for individual password strength and the proper use of analytics tracking pixels, for example, are strategies that require buy-in from the whole team.

Another consideration for your mobile app security efforts is compliance. With the unraveling of GDPR and others to follow, it’s important to have a firm understanding of how your mobile app security is handled.

For more information about mobile app regulation and intelligent mobile marketing, check out our white papers, webinars, and case studies.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.