Page 40 - Cyber Defense eMagazine June 2020 Edition
P. 40
Organizations that neglect security do so at their peril. Certainly, they may be able to get apps in the
hands of end-users faster without adding security protections, but should an attacker compromise their
app, the damage to their reputation and their revenue stream could far outweigh any advantage. Brands
whose apps have suffered security breaches must often spend millions repairing their brand, fighting
lawsuits and compensating consumers, not to mention the danger they face having their own data stolen
or encrypted for ransom. In fact, attackers are already taking advantage of the pandemic and people’s
increased reliance on mobility. For example, a recently released Covid-19 tracking app turned out to be
ransomware.
One of the big problems, of course, is knowing where to start. It can feel overwhelming. After all, a
development group can spend months fixing hundreds of vulnerabilities, while a cybercriminal only needs
to find one to mount a successful attack. But while you can’t necessarily anticipate every possible attack,
you can address the most serious vulnerabilities, and the Open Web Application Security Project
(OWASP) has already identified the most important vulnerabilities found in mobile apps. Protecting
against these will significantly increase the security posture for your apps.
Broadly speaking, here are the areas that require the most attention:
Reverse engineering and app tampering protections: Most apps are not protected against attempts to
probe them to discover exactly how they work. By tampering, debugging and reverse engineering apps,
hackers can not only identify promising vectors for attack, but they can also create malware that closely
resembles the real app, which they can then distribute to end-users. Using techniques such as app
shielding, developers can prevent hackers from gaining access to the internal operations of their apps.
It’s critical to make sure app shielding is properly implemented, however, because if it’s done poorly,
hackers can turn off the protections it provides.
App shielding is best implemented alongside code obfuscation, which makes an executable unintelligible
so that hackers are unable to read the source code and glean useful information. Together, these two
measures can prevent hackers from picking an app apart to recreate it or identify coding vulnerabilities.
Securing data storage: End-users are very concerned about the security of their personally identifiable
information (PII) such as passwords, bank accounts and credit card numbers … and they should be. In
many apps, this information is stored on the device without any protection at all. As a result, anyone who
can get into the phone — a trivial task for a sophisticated hacker in possession of the device — can read
or export all the data it stores. For the most part, that’s what thieves are after when they steal a device.
They can make much more money off financial fraud and credential theft than they could by simply selling
the device on the black market.
Data on the device must be encrypted, both at rest and in use, which means data will be completely
unreadable to anyone who does not possess the encryption key to decode it. It’s important to use strong
security, as older encryption algorithms may be vulnerable to cracking. The Advanced Encryption
Standard using encryption keys that are 256 bits in length — known as AES-256 encryption — is the
industry standard.
Cyber Defense eMagazine –June 2020 Edition 40
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
