Digital transformation is affecting every industry and the daily routine of virtually everyone with a smartphone. For many companies, their mobile application has become the primary channel for communicating with their customers.
For example, in banking, virtually all services are now offered via the mobile app. FinTechs—smaller companies developing highly efficient, high-quality applications—are competing with long-established banks by providing services that cover niches not previously covered by these large institutions.
For other industries where having a mobile app was not traditionally a priority, such as restaurants or retail chains, COVID has turned the mobile app into the only channel of communication for several months. Having this channel has allowed some of these businesses to survive, while others will not have enough time to adapt their business model.
As this channel is now the most important for businesses, it has also become a major target for hackers. The reality is that in-app security was not a priority for many businesses; investment was primarily focused on application functionality. Developers protect their applications as best they can based on their knowledge, but the real priority is delivering business features, not having an application sufficiently hardened to discourage attackers. This implies a greater effort that takes a long time to achieve.
There are many ways to attack an application. For expert hackers who have many tools, it is now very easy to take control of a mobile app, as we have read in so many recent articles or stories. With these tools, hackers can see what the app is doing, disassemble and decompile it, or simply position themselves between the application and the external services it uses. In some cases, they exploit known vulnerabilities in iOS or Android.
What are the main mobile application vulnerabilities that attackers exploit and that my company should worry about limiting?
- Data is the primary target for the attacker: Data stored on your device or the data the application brings from the central infrastructure. They can later use this information for their attack.
- xploiting known vulnerabilities in the device’s operating system (known as Jailbreaking or Rooting), because by default, all applications trust the OS security. If the operating system is compromised, extracting information from the application or from where the application stores data becomes simple.
- Mobile Communication. Assuming the application is well-protected at the device level and attacks 1 and 2 failed. What about the communications leaving and entering the mobile device? One of the most common attacks is known as MiTM (Man-in-the-Middle), which occurs on connections that are not properly secured. The hacker “listens and manipulates” the conversation between the mobile device and the central application.
- When the first three alternatives seem covered, but the application or company remains attractive to attackers, more sophisticated attacks occur where hackers “impersonate” the application’s behavior. The user downloads an application whose interface and behavior are identical to the original, but the goal is to obtain the data the user works with and to infiltrate the infrastructure that services this application on a more permanent basis. To achieve this, attackers analyze the application, interface, workflows, processes, use reverse engineering, etc.
Fortunately, companies are beginning to become aware of the magnitude of this problem. There are trends where development processes are being modified to involve the security department in the early stages of development (known as DevSecOps). This involves first identifying and limiting the most significant risks, and then implementing existing solutions that help harden the application, code, communications, and data. To implement some of these solutions, it is not necessary to conduct an exhaustive code review or make drastic changes to the source code, making the implementation time and return on investment extremely fast.