By Winston Bond, European technical manager at Arxan
Whether it’s keeping organised and healthy, staying in touch with friends, or killing time on the commute, mobile apps have become a part of our daily lives. With innovative new apps emerging to fill every lifestyle niche, it’s little surprise that the app economy has exploded to become one of the most lucrative and exciting industries in the world. The UK’s app economy is predicted to be worth more than £30 billion by 2025 according to Google, and App Annie found revenues shot up by 30% last year alone.
However, for every imaginative developer creating helpful new additions to our lives, there are those using the popularity of apps as a way of attacking us and causing financial and personal harm. Criminals always go after easy targets, and apps are seen as increasingly vulnerable sources of sensitive data.
Cybercrime rates have soared in recent years, with 2.5 million crimes recorded in the latest figures released this month. According to SAP, 84% of all cyber attacks occur at the application layer; the point where it directly interacts with the user.
Mobile apps are uniquely vulnerable to attack because once they have been released, hackers are free to directly download them and access unprotected binary code. This enables them to analyse and even reverse-engineer code to change the app’s behaviour and inject malicious code.
Compromised apps could be used to covertly steal sensitive data from users or to spread malware that will infect other applications on their device.
Arxan’s State of Mobile Security report last year found that 97% of the top Android apps have been hacked and tampered with in some way, along with 87% for Apple. Despite the risks however, a 2015 Ponemon Institute study that was sponsored by IBM found that 50% of organisations had no budget at all allocated to protecting mobile apps.
One of the biggest challenges in keeping the world’s apps and their users safe is how fast the technology is progressing, on both sides of the fence. For example, downloading apps from official sources such as the Apple App Store and Google Play Store had previously been seen by many as a means to confidently download secure, trusted apps.
In September however, it was discovered that some apps in China’s Apple Store had been infected with malware known as XcodeGhost, with as many as 500 million users affected due to extremely popular apps like WeChat being targeted.
On a similar note, while it is well known that users who “jailbreak” their phones to remove controls and limits expose themselves to greater risk from attack, hackers have increasingly been able to access non-jailbroken devices as well.
October saw the discovery of another Chinese malware attack named YiSpecter able to attack non-jailbroken devices, following on the heels of last year’s massive WireLurker attacks.
Keeping mobile apps safe
App stores have a monumental task in attempting to ensure each app is completely free of the risk of malware; the scale of the challenge is akin to manually checking every item in a supermarket for tampering. Just as we rely on food manufacturers to protect their products with tamper-proof seals, app developers need to ensure they can handle security themselves and prevent their apps from being cloned or corrupted.
The constant stream of news about breaches and malware discoveries may make the situation look hopeless, but the good news is there are plenty of steps that can be taken to improve the protection of apps (and their users,) from attack.
Developers generally take ample steps to review their application code and test it before the application is released. However, little is surprisingly done to protect the integrity of the application once it is “in the wild.” Security needs to be implemented at binary code level; the very DNA of the app itself.
One such method is code hardening, which puts in place built-in self defence and tamper-resistant mechanisms. Defences are embedded directly into the code of apps just before they are deployed, providing them with self protection from compromise.
Cryptography is one of the most important aspects of security, and cryptographic keys are vital for a whole range of security processes. Some of the most common include protecting digital assets (including media, software and devices), proving user identity, secure communications against eavesdropping and protecting the host card emulation (HCE) process used by many mobile payment solutions.
This makes keys central to app protection, but they can still be compromised, enabling attackers to run rampant. Hackers will often directly target cryptographic keys as a means of accessing bypassing security, and a report from Verizon found 25% of attacks to be memory scraping, which can access keys.
Implementing advanced processes such as white-box cryptography with their keys can enable developers to keep their keys – and the rest of the application – as secure as possible by transforming the keys so that they cannot be identified.
Mobile apps will always be at risk and breaches will continue to happen; there are just too many variables and too many potential threats to ever assure complete protection. But by working proactively to address the risk with the latest security techniques, developers can ensure their apps are as safe as possible and help foster a vibrant mobile app economy.
Arxan provides the world’s strongest application protection solutions. Arxan offers solutions for software running on mobile devices, desktops, servers, and embedded platforms, including those connected as part of the Internet of Things (IOT).