After a bit of a hiatus from in-person events for obvious reasons (*cough* COVID), we were thrilled to be back on site at the RSA Conference (RSAC) this year. While a lot of the usual topics were discussed, from highlighting the latest security solutions to broader conversations around navigating the continued evolution of the cybersecurity landscape, one thing we expected to see more of: focused discussion around mobile app security.
Though underrepresented, what we saw at RSAC is that mobile app security is gaining traction. This is in large part due to the fact that organizations are increasingly recognizing that leaving mobile apps unsecured (or with minimal security) can lead to a significant security event, even if they’ve invested in security solutions to cover every other aspect of the organization.
Here’s a recap of some of the biggest takeaways we identified from RSAC, and what they mean for organizations going forward.
Despite research showing that there were 230 billion mobile apps downloaded in 2021, a number that continues to increase every year, prioritizing mobile app security still tends to be an afterthought. In fact, the focus on mobile at RSAC really revolved around using mobile apps to exploit business logic with bots, and how decompiled apps could expose API information. Translation: the focus was on how mobile apps can serve as an entrypoint for malicious actors, not why and how the apps themselves need to be protected from a business standpoint.
This is a noteworthy point since an increasing number of organizations are leaning on mobile apps as a means to better engage with their customers. Without mobile app security in place, mobile apps become an exposed area on an organization’s end to end solution, and they are frequently left unchecked.
Our takeaway: Mobile is an increasingly valuable attack vector and organizations need to be proactive vs. reactive in their approach to mobile app security. This means implementing security earlier in the app development process to ensure it’s an integral part of the app’s design and development.
Saying “no one is safe,” might sound a bit extreme, but the sentiment stands: There is a very real need for mobile app security for every organization in every industry. And though conversations touched on (rather than focused on) mobile app security, three industries in particular — retail, financial services, and healthcare — seemed to continuously find their way into conversations around the evolving needs for enhanced security.
This certainly makes sense; these three industries, in particular, are the usual suspects because they seem to offer the most lucrative payouts. But threat actors are no longer just looking at these specific industries. They are looking for the path of least resistance, regardless of what industry that falls in.
Without efficient mobile app security in place, threat actors can more easily access the inner workings of an app, leading to financial loss and brand damage, among other significant business challenges.
Our takeaway: It doesn’t matter what neighborhood you live in; if your doors are open, thieves will eventually find their way in.
In one specific session the team attended, the presenter walked attendees through a sandbox session that showed how to use commonly available tools to decompile and reverse engineer an unprotected mobile application. They went on to show how to implement hooking, using tools such as Frida, to bypass inadequate mobile protections intended to detect rooted/jailbroken devices, and ensure SSL pinning was in place.
It shouldn’t be a surprise that knowledge to more efficiently hack a mobile app is so widely available, especially considering nefarious players often sell various techniques to make threat actors more efficient (like Ransomware as a Service, for example).
Threat actors don’t typically like to reinvent the wheel; they like to take advantage of the easy wins. This means they will leverage existing vulnerabilities and the most common attack methods, such as static or dynamic analysis, because they know these approaches work. And threat actors are more likely to bypass the more routine checks when those checks aren’t fortified by a stronger mobile app security solution.
Our takeaway: We already know that less than 50% of the top apps have adequate security, and almost one third of zero-day attacks target mobile devices. If you can learn how to effectively reverse engineer and bypass inadequately protected mobile apps at a show like RSAC, mobile apps are clearly more vulnerable than you think and require better protection.
There is a common misconception that mobile apps are more secure than they actually are. We conducted a number of AppSweep scans at RSA Conference to illustrate the value of scanning your mobile app; after all, you don’t know what you don’t know.
In just about every app we scanned, we uncovered multiple vulnerabilities. In fact, one app we scanned produced more vulnerabilities than our team had ever seen when using AppSweep. This further emphasizes the importance of gaining greater visibility and awareness of what security threats and vulnerabilities exist in your mobile app, and gaining access to actionable steps to mitigate them.
Though mobile app security didn’t take center stage at RSA this year, it didn’t go unnoticed that mobile app security played a strong supporting role in many of the discussions. The need for strong mobile app security will continue to increase in importance as mobile grows incrementally as a key threat vector.