June 14, 2020

    3 Insights into How Mobile App Hackers Think

    Hackers often attempt to infiltrate vulnerable mobile applications and do major damage to organizations; these attacks can result in anything from counterfeit apps to customer data theft. According to Symantec’s 2019 Internet Security Threat Report, more than 10,500 malicious apps are blocked per day. What’s more, research from CleverTap showed that 71% of all fraud transactions came from mobile apps or mobile browsers in Q2 of 2018.

    Understanding how and why mobile hackers target apps can prevent these attacks from happening to your organization. Here are some insights about mobile app security that could help with your defense strategy. 

    1. Mobile App Hackers May Have Complex Motives

    Often the first step in mobile app defense is understanding why a hacker would want to target your app in the first place. Motives can vary depending on your industry or the nature of data stored within your app, but the most common ones include: 

    • Financial Gain: Some hackers want to directly steal personal information for profit or they can sell individuals’ personal information on the dark web. Another common motive can include less direct but still financially-motivated goals such as hacking apps to get in-game purchases for free.
    • Espionage: Some hackers may not be looking for a profit, but rather for information to be used as blackmail. These hackers may be “listening in” on applications, looking for valuable information they can use to carry out espionage, often for nation-states or corporations.
    • Exploiting Data: Whether hackers target data from the organization or the end user, hackers often look to exploit data, or harvest credentials collected from mobile applications. In some cases, hackers re-use the collected data for various other kinds of attacks (such phishing, network attacks, and more).
    • Denying Service: Distributed Denial of Service (DDoS) attacks are attacks aimed at preventing a website or other services from working. The motivations behind these attacks can range from revenge to political statements and beyond.
    • Reputational Hacks: Some hackers, including security researchers, may be looking to promote themselves or their organization by demonstrating their skills, which often takes the shape of informing companies about known vulnerabilities.
    • Malicious “Fun”: Often hackers target apps without consideration for the consequences, simply because they can and it’s a fun way to prove their skills (related to the point above.) 

    2. Hackers Look for “Easy Target” Apps

    Regardless of their motives, most hackers look for “low-hanging fruit.” In other words, they aim for apps that are easy to exploit. It’s like the old joke: You don’t have to outrun the bear; you just have to outrun the other guy. 

    Unfortunately, many organizations prioritize time-to-market over security, making common mistakes that result in their apps becoming easy targets for attacks. These mistakes could include: 

    • Lack of multifactor authentication (MFA): A simple fix, MFA can provide an extra hoop hackers need to jump through to accomplish their goals.
    • Insufficient encryption: Encryption can ensure that the data within an application cannot be accessed.
    • Insecure data storage: This becomes a particularly important issue if the applications store sensitive customer information (e.g. credit cards or account numbers). For example, banking or retail apps may store this type of data.
    • Easily accessible, unobfuscated code and/or apps without Runtime Application Self-Protection (RASP): Hackers can scan for applications looking for identifiable patterns in code, or execute real-time attacks on apps without RASP defenses.

    Without these defenses in place, applications can easily be reverse-engineered or otherwise tampered with by hackers, potentially exposing valuable data.

    3. Mobile Apps Attacks Have Many Phases

    The perception is often that a mobile security attack happens quickly, or that it is a one-time event. However, hackers may take many discrete steps for months before, during and after an attack – to gather intel, execute the actual attack, and prevent themselves from getting caught. Here are the phases of a typical Mobile Application Attack:

    • Reconnaissance: In this initial phase the hacker tries to select a target for attack/exploitation consistent with their overall goals (e.g. financial profit, game cheating, denial of service, etc.) It involves identifying potential target applications.
    • Scanning: In this phase, the attacker statically analyzes the app and observes its behavior to try to understand how it functions and how it might be protected against exploitation. Ideally, the hacker wants to identify vulnerabilities, which can be exploited to create an active attack.
    • Gaining Access: At this stage, vulnerabilities discovered during the reconnaissance and scanning phase are exploited to gain access. The attacker makes use of various active attack techniques such as debugging, hooking, code-modification and data exfiltration.
    • Maintaining Access: The attack techniques used in the previous phase can be very labor-intensive, requiring considerable expertise and patience. But now the attacker wishes to automate their exploit, and ideally make it persistent so that it can be deployed at scale. In some cases, another app or webpage will take advantage of the vulnerabilities discovered to capture valuable data, such as credit card numbers. In others, the exploit itself will be monetized (e.g. a hacked version of a game may be sold on the dark web).
    • Covering Tracks: Once hackers have been able to gain and maintain access, they have to concern themselves with staying hidden from detection. For example, with a financial app, there would be sophisticated fraud detection processes in place and, if triggered, would close off the exploit. Therefore, it is crucial that the attack does not leave telltale traces in order to allow the maximum profit to the attacker. Inevitably, the attack will be detected and examined forensically to determine the source of the exploit, which can lead to unwanted attention from law enforcement including imprisonment – so the attacker is highly motivated to leave no trace.

    Fortunately, techniques like code hardening (using techniques like obfuscation and encryption) vastly complicate the statical analysis phase and RASP can prevent the active attack tools that hackers rely on to create an exploit. Together, these application security solutions prevent mobile attacks by making applications extraordinarily difficult targets for hackers. 

    Common Attacks Fly Under the Radar

    Unfortunately, many mobile app attacks may fly under the radar with development teams because the proper security defenses and real-time threat monitoring systems aren’t in place. For example, many hackers attempt reverse engineering and code analysis to identify and expose sensitive information. These attacks are easily preventable by applying code hardening techniques such as encryption and obfuscation.

    Many hackers attempt to attack applications at runtime, for example by intercepting operating system function calls to alter their behavior via a hooking attack. These types of attacks and other application tampering can be detected by real-time app security monitoring, and stopped by RASP systems. 

     

    Guardsquare

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in