Learn more about: Jailbroken/rooted devices, repackaging, library injection, execution flow control, process integrity checking, user input leakage, keylogging, debuggers, emulators and screenshots.
It has never been easier to develop and launch a mobile application, at the same time it has never been harder to keep sensitive customer information secure in the face of evolving mobile application security threats.
Increase in malware attacks
Mobile devices are seeing a rapid growth in various malware attacks. Often used techniques are repackaging of legitimate applications into malicious ones and apps that act as a man-in-the-mobile. These attacks are specifically targeting consumer apps that have transactional value, such as banking and payment apps.
We have also seen a development of mobile attacks that can be applied across the enterprise, be exploited remotely and do greater damage. Now let’s have a quick look at two important application security areas;
Protecting data-at-rest
Protecting data-at-rest is not a new concept for most CIOs or CISOs of banks, or of any other businesses for that matter. Attackers can target data-at-rest with specially developed malicious software and other methodologies.
Considering the number of mobile devices being used to conduct transactions, work remotely, and perform key tasks, data-at-rest has never been more vulnerable! Therefore, it is essential to add self-protecting mechanisms to your applications – for example, by the use of heavy obfuscation and layered packaging /encryption of the security code.
Securing your applications at runtime
Secure coding and traditional application security best practices are recommended to protect applications against runtime attacks. However, they are not sufficient to secure the apps against sophisticated runtime attacks.
Runtime application self-protection (RASP) is a security technology that is built or linked into an apps runtime environment. It is capable of controlling application execution, detecting, and preventing real-time attacks. With RASP technology implemented, the attack is blocked by the application itself and the application continues to operate securely.
10 application security threats you should know
1. Jailbroken/rooted devices
Jailbreaking or rooting is the process of circumventing the operating system’s security measures, and posing the most common security threat. This is usually performed by the users of a device customizing it beyond of what the manufacturer allows.
However, attackers can also perform jailbreaking/rooting in case a device is stolen to bypass the protection mechanisms of the device in order to gain access to the data that is stored on the device. Similarly, some of the available techniques for a jailbreak/rooting can be used by malware to gain extended permissions on a device.
2. Repackaging
Repackaging is a widely used practice to deploy Trojan horses on Android devices. On Android, this is made possible since there are many distribution platforms apart from the official Google Play Store.
Apple also offers other ways to deploy apps in the form of Ad-Hoc- and Enterprise- Deployment where apps can, for example, be installed on a user’s device from a web page without being reviewed by Apple.
3. Library injection
In order to gain control of an application, attackers will often inject code into the app process to control it from within. This can, for example, be used to read decrypted SSL/TLS communication or to intercept user input, e.g. passwords. This is one of the security threats that only exist on compromised devices. Injecting code into another application is usually prevented by the sandbox.
The easiest and most common way to inject code into a process is by injecting a malicious library. The very popular MobileSubstrate for jailbroken iOS devices is an example of a framework that performs this extensively.
4. Execution flow control
When an attacker tries to take control of an application, he will change its execution flow. It’s important to be able to detect when the execution flow deviates from the normal execution flow and initiate proper defensive measures.
5. Process integrity checking
Based on the strong process integrity checking mechanisms found in security software for the Windows platform, similar mechanisms are developed for both Android and iOS. This will protect against advanced process and function hijacking methods. These are known from the Windows platform and used by banking Trojans like ZeuS and SpyEye.
6. User input leakage
iOS automatically records user input in a so-called keyboard cache in order to improve its auto-correction feature. This can lead to sensitive information being accessible.
7. Keylogging
Android offers its users the possibility to install custom software keyboards. These keyboards are naturally being informed about every input the user makes on it, and can be used by an attacker as a keylogger.
8. Debuggers
Debuggers can be used during runtime of the application to extract sensitive information, alter the program flow and help attackers reverse engineer the app.
It is important to implement application security software in order to prevent these security threats. The software will detect when a debugger is attached to the app and perform the necessary steps to ensure that the security of the application is not compromised. The debugger is either blocked, or the app is detected and exited.
9. Emulators
As with debuggers, emulators can be used to analyze an application to determine how it works and to extract sensitive information that is available while the application is executed.
This is currently only a security threat on Android since the iOS emulator runs on a different hardware platform than real iOS devices. iOS apps from the App Store, which have been created to run on the ARM platform, cannot be run on the iOS emulator which runs on the Intel platform.
On Android, you can find app security SDKs that can detect, when the app is executed in an emulator and can initiate countermeasures (for example exiting the app, as per configuration).
10. Screenshots
Applications often display sensitive information that should not be easily ex-filtrated from the application. One easy way to extract information from an application is in the form of a screenshot. Make sure you implement security software that can detect user-initiated screenshots. Perform necessary steps to make sure the ex-filtration is reported.
When an app enters the background on iOS, a screenshot of the app is created to increase the user experience when the app is brought to the foreground again. This screenshot can be used to extract sensitive data.