With the number of app downloads approaching 200 billion per year, and users installing an average of 35 apps on their smartphone, it’s clear that apps have become fully integrated into everyday life. However, this also means that bad actors target apps, and are looking to steal money or data or to hijack them for their own malicious ends.
This makes mobile app security a major concern for any business which offers apps to its customers or otherwise engages in app development. Without the right app security, hackers can steal data by reverse-engineering the program’s code or attacking application vulnerabilities.
To avoid the potentially ruinous reputational and financial consequences that can arise from having their app security compromised, it’s vital to understand what vulnerabilities mobile applications face.
How Mobile Apps Put You at Risk
1. Pirated network activity
One of the main ways that attackers harvest data and private information through apps is by ordering the program or device to send it to them. This kind of unauthorized activity is known as exfiltration and makes use of channels ranging from email and SMS to connection processes such as UDP or TCP sockets.
To prevent attackers breaching app security and gaining control of these channels, it’s necessary to harden the code at the app’s most vulnerable points. The best code protection, such as that provided by Intertrust’s whiteCryption, focuses on securing the source code to prevent reverse-engineering.
2. Exploiting single sign-on access
To avoid creating separate user profiles for every service consumers use, many apps offer the option of signing in through Facebook, Gmail or other account to which they’re already logged in. This is very convenient for the users and also the businesses involved because it creates a continuity of activity across the digital sphere.
However, this single sign-on also threatens app security in two ways: If the sign-on account gets compromised, attackers can access every associated app or service. Or the reverse can occur, where a hacked app ends up giving access to the account.
3. Unencrypted data and storage issues
The abundance of data held by apps creates a veritable pot of gold for would-be attackers to aim for. Successful hacks result not only in reputational damage but can draw huge regulatory fines, such as the $225 million fine handed to British Airwaysor the $122 million Marriott Hotels paid up after failing to adequately protect the details of 339 million guests. The problems for app security lie in data encryption and storage. The first line of defense is preventing attackers from gaining access to data, the next is ensuring that anything they do find remains encrypted and impossible to use.
Intertrust’s leading mobile app security protects applications and the data they contain through a variety of methods including application shielding and cryptographic key protection. This multi-faceted approach makes it the perfect solution across industries, including financial services, automotive, and the healthcare sector.
4. Hidden dialing, message sending, and unauthorized payments
Once bad actors seize control of an app, or breach application permission vulnerabilities, they can exploit it for various money-making schemes. For example, they can instruct the device to call or send messages to premium numbers connected to the hackers or make unauthorized payments through Google Play or Apple Pay.
In order to best protect your customers, mobile app security should be performed at a source code level. Additional essential security measures include penetration testing and integrity monitoring to detect malicious code modifications.
5. Insecure connections
Data transmission presents another vulnerable point for sensitive information, such as when a user communicates with your business’ server to perform an activity. If an attacker gains access to the cryptographic keys used to secure either end of the TLS connection, they can decrypt the data, inject malicious code, or masquerade as a legitimate device. This vulnerability in transport can be addressed by securing TLS keys from end-to-end. Intertrust’s Secure Key Box for TLS protects keys used to establish the connection, as well as the session keys used to secure the transmissions.
6. Location tracking
Location data is one of the most common pieces of information that data monetizers seek from consumers because it’s a relatively unobtrusive means of ad targeting and monitoring their activity. Malicious app attackers are no different, and apps are particularly attractive due the permissions that are regularly granted to them.
With the rise of Bitcoin and other cryptocurrencies, device processing power holds tremendous value to cybercriminals. The ability to create enormous botnets of infected devices and harness their CPUs to mine crypto currency has popularized cryptojacking attacks. The phenomenon has spread to apps as well, where compromised apps run on a user’s smart device while secretly sending computing power to the cryptojackers.
A multi-layered approach is key
To be truly effective, mobile app security needs a multi-layered approach as application vulnerabilities exist right from initial software development all the way through to the daily session login of the user. With this in mind, Intertrust has developed its signature mobile application shielding suite, whiteCryption Code Protection and Secure Key Box.
To find out what Intertrust and whiteCryption can do for you, talk to our team of experts today.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.