This blog explores:
- Mobile app security is cybersecurity! The perception that mobile app security is covered by ensuring end-users have the most recent OS patch isn’t comprehensive enough. Mobile apps require protection beyond what a platform can offer.
- Many of the top mobile app security weaknesses are also cybersecurity concerns because a weak protection strategy leaves your mobile app vulnerable to threat actors.
- Guardsquare’s three steps for increased mobile app security and cybersecurity safety are to protect, test, and monitor your app.
October is upon us, and that means it’s Cybersecurity Awareness Month. Every October, the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA) co-lead efforts to build awareness around how organizations can empower their employees and customers to stay safe online.
While this year’s theme, “See Yourself in Cyber,” is geared towards individuals practicing cybersecurity safety basics, we want to highlight the importance of developers adopting mobile app security best practices to ensure the quality, integrity and end user experience of the mobile app or game.
Some developers believe that mobile app security concerns are completely addressed as long as the device is updated with the latest OS patch. In reality, threat actors can reverse engineer and exploit vulnerabilities in the mobile app itself. This can have a direct impact on a company’s brand reputation and direct app revenue.
Cybersecurity and mobile app security
Mobile app security is focused on eliminating vulnerabilities in mobile app software that threat actors exploit. As a developer, it is important to protect your IP and revenue, ensure compliance, protect brand reputation, AND safeguard the same user data that threat actors are after.
In one of our previous posts, we identified three of the most common mobile app security challenges for businesses: preventing fraud, preventing cloning attempts, and ensuring regulatory compliance. All of these stem from cybersecurity concerns.
For example, mobile banking apps must meet regulatory compliance requirements because they handle sensitive consumer data. Failing to meet compliance requirements due to a weak mobile app security strategy will delay your time to market. The banking apps that do make it to market with vulnerabilities risk being exploited after release, which will significantly harm its brand reputation.
Recently, Symantec’s Threat Hunter Team discovered that over 1,800 apps had hard-coded Amazon Web Services credentials easily accessible in the mobile app’s code. The credentials easily enabled someone to access AWS resources and even steal users’ data. Data breaches are costly, and research like this highlights the importance of following recommended security standards like those detailed in OWASP’s MASVS. These recommendations include using code hardening techniques, which assist in protecting sensitive information against cybersecurity threats.
Curious to see how other common mobile app security vulnerabilities align with cybersecurity concerns? Let’s talk about the OWASP mobile risks list.
OWASP mobile risks and cybersecurity
The Open Web Application Security Project (OWASP) published the top 10 mobile app security risks, compiled from a worldwide group of security professionals. It is a great starting point for developers looking to address the most common mobile app security risks. We will discuss options for addressing the OWASP recommendations in depth in an upcoming blog How to Protect Your Mobile App Using the OWASP MASVS Security Standard.
In the meantime, we’ve provided a brief reference of the Mobile Top 10 in the table below.
M1: Improper Platform Usage | Misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. |
M2: Insecure Data Storage | Unsecured local storage that an adversary can access via a lost/stolen mobile device; malware or repackaged apps that attempt to access sensitive data your app has stored. |
M3: Insecure Communication | When a mobile app transmits data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire. |
M4: Insecure Authentication | Authentication vulnerabilities can lead to loss of data and unauthorized privileges for a user. This can manifest when certain endpoints do not require authentication, where client-side authentication is relied upon, or if shared secrets and keys are stored on the device. |
M5: Insufficient Cryptography | Anyone with physical access to data that has been encrypted improperly, or mobile malware acting on an adversary’s behalf can extract secrets or sensitive data. Typically, this is observed when outdated or improper cryptography is used. |
M6: Insecure Authorization | Authorization is the act of checking that the identified individual has the permissions necessary to perform the operation. Often endpoints are not performing checks because they are assumed to be hidden, or private, or sometimes permission checks are not sufficiently validated. |
M7: Client Code Quality | Passing untrusted inputs to method calls made within mobile code can lead to security vulnerabilities. For example, buffer overflows, memory leaks and insecure language constructs can be exploited. |
M8: Code Tampering | Typically, an attacker will exploit code modification via malicious versions of apps hosted in third-party app stores. The attacker may also install the app via phishing attacks. Code should be hardened to protect against tampering. |
M9: Reverse Engineering | An attacker will typically download the targeted app from an app store and analyze it within their local environment using a suite of different tools. Apps can protect themselves with checks for these characteristics. |
M10: Extraneous Functionality | Typically, an attacker seeks to understand extraneous functionality within a mobile app to discover hidden functionality in backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by end-users. |
Having even one of these risks leaves your app exposed to threat actors actively looking to exploit vulnerabilities in your mobile app. Do you know how secure your apps are? Research shows that the vast majority of mobile apps on all operating systems have major security issues. In fact, in a recent study of over 150 mobile finance apps, researchers found that 84% of Android and 70% of iOS applications had at least one critical security vulnerability.
So, how do you protect your mobile app from security weaknesses that can become major cybersecurity threats?
Our mobile app security recommendations for Cybersecurity Awareness Month (and beyond)
For the Cybersecurity Awareness Month theme, “See Yourself in Cyber,” CISA and NCA released four steps that the end user should follow to stay protected. For mobile app developers, we have three key steps to improve your app’s cybersecurity posture and reduce your overall security risk. We also identify Guardsquare products that help developers meet the recommendations.
1. Protect
During your app’s development process, we recommend incorporating defenses against reverse engineering and tampering. This will thwart threat actors’ attempts to steal your intellectual property and use that information to modify and distribute compromised apps. Theft of intellectual property can impact revenue, brand reputation and the security of sensitive user data.
The best defense is multi-layered. This prevents your app from having a single point of failure. In addition, developers should consider polymorphic solutions which nullify any progress a threat actor may have made with each successive build of your app. Guardsquare’s comprehensive mobile app protection solutions, DexGuard (Android) and iXGuard (iOS), offer multiple layers of code hardening and runtime application self-protection (RASP).
2. Test
Despite the efforts and intentions of the best developers, security risks are both introduced and overlooked during the development process. For example, many developers fail to encrypt AWS credentials before releasing an app to production. Testing the code against security standards as part of the DevOps process can help address oversights like this. Developers can perform testing manually, but a security solution offers additional speed and accuracy. With the right tools, security vulnerabilities are found and addressed as soon as they are introduced.
Identifying vulnerabilities in a timely manner during development enables the team to bring their apps to market faster and with fewer security risks. AppSweep, is a great example of a fast, accurate testing solution. It scans your code for security vulnerabilities and provides actionable recommendations on how to fix the issues. It is easily integrated into a standard DevOps process and is free to use.
3. Monitor
Once you have comprehensive protection in place, we recommend monitoring your app when it is published. This enables you to observe and understand how and what part threat actors are focusing on so you can better identify vulnerabilities. This information provides insights into vulnerabilities you might not be aware of and areas of your app that might need further protection, empowering you with the information you need to improve your mobile app security.
We offer real-time threat monitoring via ThreatCast so you can uncover how threat actors are attempting to exploit your app and continuously improve your security with intuitive dashboards, custom alerts, and actionable insights.
You can’t afford to ignore mobile app security
The cost of poor mobile app security is high. Whether you are concerned about losing revenue, protecting intellectual property, reputational damage, or preventing the theft of user data, it’s time to get serious about cybersecurity threats.
Ready to evaluate and strengthen your mobile app’s security posture? Start with a free security scan of your mobile app.