Five Mobile App Risks You Might Not Be Prepared for in 2020
Mobile applications and app stores have been around for about 12 years now, but many app owners still find themselves struggling to properly secure their mobile applications. Hackers are well aware of this, and often target mobile apps for financial fraud, data theft, and other criminal exploits. In this piece, we share five mobile app risks that businesses may not be prepared for in 2020, as well as some advice on how to get up to speed.
1. iOS Jailbreaks
Jailbreaking iOS devices allows hackers to change, copy or dissect developers’ apps. Jailbroken devices allow hackers to do any or all of the following:
- circumvent the encryption applied by Apple
- dump the decrypted code from memory
- expose sensitive IP and data
- modify the behavior of an app
- circumvent an app’s license checks or built-in security checks
The latest iOS jailbreak tool, checkra1n, is now in public beta, which means users will be testing it out and using it to hack iOS devices in the real world. As a result, developers need to take extra precautions to protect their iOS apps, including using jailbreak detection and code obfuscation.
2. iOS Piracy
Many people believe that iOS apps are less vulnerable to piracy than Android apps. This is unfortunately not the case. Using a third-party app store, it is possible to install so-called “tweaks” for certain apps. This lets users get their in-app “purchases” for free.
This is a surprisingly major issue, and one that doesn’t get a lot of attention. Our team was able to find pirated versions of more than 200 apps, easily accessible on the internet.
Piracy costs app owners a lot of money, yet most of them do not have sufficient protections built into their apps. We found that even the jailbreak detection mechanisms in place in about 10% of these apps are easily circumvented by hackers. This is why it’s key to take a multilayered approach to mobile app security.
3. Fake Apps
Another major and often underestimated issue is that of fake apps, or fraudulent app clones. A recent McAfee report found 65,000 new fake apps published in a single month. Fake apps are even being used in cyber espionage attempts.
So what exactly are fake mobile apps? They are Android or iOS applications that mimic the look and/or functionality of real applications to trick users into installing them. Once they have been installed, these apps can:
- aggressively display advertisements for revenue
- harvest credentials
- intercept sensitive data
- divert revenue from legitimate apps
- infect devices with malware
For app makers who want to protect their apps and users, code hardening and runtime application self-protection (RASP) effectively prevent mobile applications from being cloned and tampered with.
4. Kotlin-Written Android Apps
When Google declared Kotlin their preferred Android programming language, it quickly shot to the fourth fastest growing language. We anticipate its usage will continue to spread widely—likely overtaking Javascript in the near future.
Yet, many developers using the language do not fully understand security best practices, including how to protect Kotlin code against OWASP's well-known Mobile Top 10 risks, as explained in-depth here.
In 2020, developers must carefully educate themselves and their teams about Kotlin security and aim to fully protect their apps written using Kotlin. As with any other Java-based language, apps written using Kotlin must be protected against both static and dynamic attacks using a combination of code hardening and RASP.
5. Insecure Financial Apps
A Juniper Research report found that the number of people using mobile banking apps is approaching two billion—about 40 percent of the global adult population. Yet a report we recently released found that more than 50% of all banking and other mobile financial applications do not use sufficient code obfuscation, leaving those apps wide open to attacks.
Consumers today have a lot of options to choose from when it comes to banks and mobile financial applications. If a company loses their trust due to a mobile data breach, they can and will go elsewhere. Additionally, fines and legal consequences for fraud and data loss in the financial space can cripple a business.
If you operate in the mobile financial application space, it’s key to use security best practices to both protect your apps and to provide consumers with the peace of mind they need to do business with you.
Bonus: New Compliance Mandates
This one isn’t technically a threat, but there are a lot of new compliance mandates hitting the market recently, ranging from country-specific banking regulations to broader frameworks like PCI SPoC. Companies who don’t have a strategy in place to track these complex and evolving regulations and ensure they meet baseline requirements for the ones they are beholden to could find themselves in regulatory trouble or losing out on business deals.
What mobile app risks are you paying the most attention to in 2020?