This year, remote work and social distancing have led people to rely on their mobile devices more than ever. According to App Annie, consumers spent 1.6 trillion hours on mobile in the first six months of 2020, with a 220% increase in time spent in business apps. For mobile app developers, this increase in demand should mean a renewed focus on security.
Unfortunately, many mobile developers feel pressure to get to market quickly with their apps. This means that they may neglect to implement security measures that could prevent commonly executed mobile attacks. For app publishers, the consequences of a mobile app attack could include the loss of intellectual property, customer- or developer-sensitive data, revenues and more.
As a part of National Cybersecurity Awareness Month, we’re highlighting three reasons why mobile apps may need even more protection in the remote economy.
As competition for users’ attention heats up, some competitors may look to nefarious tactics to gain market share for their mobile apps. For example, bad actors could scan for a lack of code hardening techniques to quickly select a list of targets for reverse-engineering. For static analysis attacks, malicious actors use disassemblers or decompilers to gain access to the code of applications and look for sensitive information, or parts of the app that are valuable for further analysis. The goal may be to exploit or modify the app in some way.
Business implications of these attacks could be severe. One scenario could be a competitor cloning entire apps or copying valuable logic, instead of developing his own solutions. This results in a loss of competitive advantage for the targeted party.
Beyond static attacks alone, many attackers look to understand the ways in which an application works, or attempt to modify the app’s behavior at runtime. These are called dynamic analysis and runtime attacks. In this scenario, the attacker will initially run an app on a test device, where they may try to gain insight into its inner workings, and modify the way in which the application functions. They then may attempt to distribute or share modified apps. A lack of runtime application self-protection (RASP) mechanisms can make these attacks effortless to execute.
Dynamic analysis and runtime attacks can result in revenue losses or sensitive data loss. For example, an adversary could circumvent license checks to get premium content for free and distribute a modified app to a wider audience through 3rd party app stores. This piracy tactic is prominent in gaming, utility and media apps.
Many app developers may not be aware that the default encryption and application signing mechanisms offered by the iOS and Android app stores are not enough to protect their applications against tampering and reverse-engineering.
For example, Apple’s system encrypts the code of applications submitted to the App Store. However, all applications must be decrypted before they can be executed. The decrypted instructions can be dumped from memory and reconverted into the original unencrypted application by a variety of tools available for jailbroken devices. That means that as long as an application can be installed and run on a jailbroken device, Apple’s code encryption will not prevent it from being reverse-engineered.
This is just one example of why the basics are not enough to protect mobile applications. Developers should take a layered approach to security to protect their applications against common attacks caused by reverse-engineering and tampering. A combination of code-hardening, RASP and real-time threat monitoring can address mobile app security throughout the development lifecycle.
With a proactive approach to security, development teams can secure the apps that drive the remote economy.