The growing risks of mobile apps
Cyber attacks, in general, are an ever-present danger, that much is clear. With more and more data now held online, hackers able to exploit security vulnerabilities can forge an illicit yet lucrative career for themselves.
It would be naïve to think mobile apps are safe from this threat. With Symantec’s Internet Security Threat Report 2016 now available for all to see, the research has revealed a 77 per cent increase in the number of new Android mobile malware variants between 2014 and 2015, and a 214 per cent increase in new mobile vulnerabilities.
This increasing threat is highlighted by the emergence of recent mobile malware strains and software vulnerabilities, including MazarBOT, Acecard and XcodeGhost. It’s no secret that mobile is very much in the firing line.
What’s the hacker’s modus operandi?
Ominously, hackers are becoming increasingly versatile when it comes to attacking mobile apps. One key method of breaching the defences of these apps is by distributing modified apps, often via unofficial app stores but also occasionally through more ‘secure’ channels such as Google’s Play Store.
These modified apps ape legitimate ones, and can be re-engineered to perform malicious activities, injected with malware, pirated, or tampered with to make bypassing security protocols easier. Once installed, these apps can carry out a range of sinister activities, including the theft of personal data.
The spectre of malicious fake apps
Creating fake versions of legitimate apps has become a popular way for cybercriminals to harvest personal data. As an example, research has shown that, in June 2014, there were fake versions of 77 per cent of the top 50 free apps in the Google Play Store. While some of these fakes aren’t malicious, many of them are.
The pace of development of fake apps can be put down to a range of reasons. Some of these include:
- An ever-expanding number of apps, meaning there is an ever-expanding range of targets
- A growing number of features in apps – more features mean there are more areas that can be attacked
- User demand and competition leading to faster release cycles of apps, with application security unable to keep pace
- Increasing use of unapproved app stores and rooted devices
- Improved hacking tools as cyber criminals refine their craft
How do these fake apps get past approved app stores?
Distributing these apps is easier than it might seem. If a customer decides to download apps from a non-iOS or Android app store, hackers can make their move here. The same goes for rooted devices: it’s fairly self-explanatory that willingly sacrificing your phone’s in-built security features will leave you more open to compromise.
Android is by far the weaker OS when it comes to malicious apps. With no formal review process for apps, they can be distributed via websites, emails and even the Google Play Store.
But iOS is no Fort Knox either: savvy hackers can circumvent the App Store’s review process through wily concealment of a fake app’s activities, enabling it to come through the review procedure unscathed.
Security of Third-Party Keyboard Apps
Major mobile device platforms allow users to replace built-in keyboard apps with third-party alternatives, which have the potential to capture, leak and misuse the keystroke data they process.
Third-party keyboards received a boost of attention when Apple made it possible to implement such apps starting with iOS version 8, though this capability have existed on Android for a while. iOS places greater restrictions on keyboards than Android operating systems; however, even Apple cannot control what keyboard developers do with keystroke data if users allow these apps to communicate over the network.
So what can be done to stop them?
The obvious advice you can give as a company is to urge your customers to be careful when downloading apps: avoid using rooted devices, be sure to only download from approved app stores and remain vigilant at all times.
But it’s impossible to control how every user goes about using their mobile device. Instead, a cost-effective and easy-to-implement approach lies in app hardening techniques.
App hardening software makes legitimate apps self-defending by adding protective code. In this way, the apps are protected against unwelcome intrusions which aim to steal data or create a cloned version of the app. Such an approach has been recommended by leading cybersecurity analysts, including Gartner.
In an age where hackers remain a serious force to be reckoned with and where we can’t possibly control every user’s behaviour, embracing app hardening is a hugely effective way for app developers to get ahead.