Secure coding and traditional application security best practices are recommended to protect applications against runtime attacks. However, they are not sufficient to secure the apps against sophisticated runtime attacks. Runtime application self-protection (RASP) is a security technology that is built or linked into an apps runtime environment and is capable of controlling application execution, detecting, and preventing real-time attacks. With RASP technology implemented, the attack is blocked by the application itself and the application continues to operate securely.
It has never been easier to develop and launch a mobile application, at the same time it has never been harder to keep sensitive customer information secure in the face of evolving mobile application threats.
Mobile devices are seeing a rapid growth in various malware attacks. And often used techniques are repackaging of legitimate applications into malicious ones and apps that act as a man-in-the-mobile. These attacks are specifically targeting consumer apps that have transactional value, such as banking and payment apps. We have also seen a development of mobile attacks that can be applied across the enterprise, that can be exploited remotely and can do greater damage. Now let’s have a quick look at two important application security areas;
Protecting data-at-rest is not a new concept for most CIOs or CISOs of banks, or of any other businesses for that matter. Attackers can target data-at-rest with specially developed malicious software and other methodologies. Considering the number of mobile devices being used to conduct transactions, work remotely, and perform key tasks, data-at-rest has never been more vulnerable! Therefore, it is essential to add self-protecting mechanisms to your applications – for example, by the use of heavy obfuscation and layered packaging /encryption of the security code.
Securing your applications at runtime
Below, we have highlighted 10 application security threats you should know.
1. Jailbroken / Rooted devices
Jailbreaking or Rooting is the process of circumventing the operating system’s security measures. This is usually performed by the users of a device customizing it beyond of what the manufacturer allows. However, attackers can also perform jailbreaking/rooting in case a device is stolen to bypass the protection mechanisms of the device in order to gain access to the data that is stored on the device. Similarly, some of the available techniques for a jailbreak/rooting can be used by malware to gain extended permissions on a device.
Repackaging is a widely used practice to deploy Trojan horses on Android devices. On Android, this is made possible since there are many distribution platforms apart from the official Google Play Store. Apple also offers other ways to deploy apps in the form of Ad-Hoc- and Enterprise- Deployment where apps can, for example, be installed on a user’s device from a web page without being reviewed by Apple.
3. Library injection
In order to gain control of an application, attackers will often inject code into the app process to control it from within. This can, for example, be used to read decrypted SSL/TLS communication or to intercept user input, e.g. passwords. This is one of the threats that only exist on compromised devices since injecting code into another application is usually prevented by the sandbox. The easiest and most common way to inject code into a process is by injecting a malicious library. For example, the very popular MobileSubstrate framework for jailbroken iOS devices performs this extensively.
4. Execution flow control
When an attacker tries to take control of an application, he will change its execution flow. It’s important to be able to detect when the execution flow deviates from the normal execution flow and initiate proper defensive measures.
5. Process integrity checking
Based on the strong process integrity checking mechanisms found in security software for the Windows platform, similar mechanisms are developed for both Android and iOS. This will protect against advanced process and function hijacking methods, which are known from the Windows platform and used by banking Trojans like ZeuS and SpyEye.
6.User input leakage
iOS automatically records user input in a so-called keyboard cache in order to improve its auto-correction feature. This can lead to sensitive information being accessible.
Android offers its users the possibility to install custom software keyboards. These keyboards are naturally being informed about every input the user makes on it, and can be used by an attacker as a keylogger.
Debuggers can be used during runtime of the application to extract sensitive information, alter the program flow and help attackers reverse engineer the app. In order to prevent these threats, it is important to implement application security software that can detect, when a debugger is attached to the app and perform necessary steps to ensure that the security of the application is not compromised – by either blocking the debugger, or detecting and exiting the app.
As with debuggers, emulators can be used to analyze an application to determine how it works and to extract sensitive information that is available while the application is executed. This is currently only a threat on Android since the iOS emulator runs on a different hardware platform than real iOS devices, meaning that iOS apps from the App Store, which have been created to run on the ARM platform cannot be run on the iOS emulator which runs on the Intel platform. On Android, you can find app security SDKs that can detect, when the app is executed in an emulator and can initiate countermeasures (for example exiting the app, as per configuration).
Applications often display sensitive information that should not be easily ex-filtrated from the application. One easy way to extract information from an application is in the form of a screenshot. Make sure you implement security software that can detect user-initiated screenshots and perform necessary steps to make sure the ex-filtration is reported.
When an app enters the background on iOS, a screenshot of the app is created to increase the user experience when the app is brought to the foreground again. This screenshot can be used to extract sensitive data.