Why You Need to Pay Attention to Mobile App Security

Aside from executing physical attacks on servers, hardware or people, there are three main access points where criminals can break into systems: web, mobile and API.

In this post, we’ll focus on mobile security, an area increasingly being exploited due to a sharp rise in mobile device use over the course of the pandemic.

Why is mobile device security important?

Accessing information from anywhere has become a necessity in the modern world. Since we all have a mobile device in our pockets, most businesses have a mobile presence to reach customers and employees in a convenient way. As we alluded to in our 11 big predictions for cybersecurity in 2022, the rollout of 5G and the ever-increasing power of cell phones make mobile applications an ever-popular attack vector for criminals seeking financial gain.

While there is a detailed list of mobile vulnerabilities as part of the OWASP mobile top ten that every business should use to inform their mobile application security penetration testing, here are some common examples of mobile application hacks and attacks:

Access control exploits

Corporate apps have become more important since the Covid-19 pandemic and new ‘work from home’ culture. Controlling access to important areas of business systems, and protecting sensitive data from unauthorized access, is vital. Hackers look for ways to break into restricted areas within such apps, such as tampering with JSON web tokens, exploiting misconfigurations via API calls, or spoofing unique identifiers.

Vulnerable or outdated components

Cyber security moves at a breakneck pace, with hackers finding new exploits and developers patching vulnerabilities in a constant cycle. Attackers can take advantage of out-of-date mobile apps still being in circulation amongst the userbase if their access has not been revoked, taking advantage of known vulnerabilities even if those vulnerabilities have been patched in newer versions.

Fake application downloads

Fake apps can appear legitimate to users but are full of spyware or other types of malware. These apps are designed to look identical to the real thing, and may have some of the expected functions, but their true purpose is to hijack devices for the criminal distributor’s purposes

This usually takes the form of either collecting private data from the device, logging activity and keystrokes, or using the device’s processing power and network connection to launch other attacks. Many modern botnets are bolstered by hijacked mobile devices, which are especially effective for this purpose because mobile devices are distributed across locations and networks, making their traffic easy to disguise as legitimate.

What emerging risks are threatening mobile app security?

As well as modified application packages and exploits, legitimate mobile apps can fall foul of attacks that take advantage of their own designs and purposes. For example, just having a login screen facilitates credential stuffing attacks, and the ability to add items to a shopping cart opens apps up to scalping and spinning attacks.

These business logic exploits and are carried out at high volumes by automated bots controlled by a single group or individual. Bot attacks are usually associated with websites, but they are just as capable of attacking mobile apps, directly or via API access.

All a bot needs to do is use a user agent associated with a legitimate mobile device, or use mobile device emulation to mimic human activity via the mobile app. The tools to do this are widely available and easy to use; it doesn’t take a hardened hacker to acquire and master such techniques, and the rewards for little investment can be much higher than with other attack types.

Are your mobile apps protected against bots?

While rigorous pen testing is an absolute necessity for any kind of application, mobile or otherwise, a different approach is needed to defend against bots.

Dedicated bot management tools detect bots, distinguish the good from the bad, and block dangerous activity from affecting the business or its customers.

From a technical standpoint, there are two approaches to spotting the bots as they attempt to gain access to mobile apps:

Install a custom SDK as part of the mobile application’s architecture

Mobile SDKs are used to collect client-side data from mobile devices to look for telltale signs of automated activity. Unfortunately, most sophisticated bots use reverse engineering to evade client-side detection with ease, diminishing the usefulness of these detection methods.

Installing a mobile SDK means modifying part of the application itself, essentially adding in the functionality to detect bots on top of everything else the app is designed to do. This requires developer intervention and periodically updating the SDK along with the bot management product itself.

Capture and monitor the server logs generated by traffic to the mobile app

Bot management tools can also inspect server logs to identify bot activity. Server-side bot detection has the advantage of concealing itself from bots and attackers, meaning they can’t devise bypass methods. Server logs also create masses of data that can be leveraged by machine learning algorithms to spot sophisticated bot behavior as it evolves.

Server logs can come from web or mobile apps, as well as via an API, but are all logged in the same way, meaning there is no need to change or update anything in the mobile app to implement up-to-date bot management functionality.

Get a complete picture of mobile application security

Businesses must make use of all security tools available to them to keep mobile applications secure. This includes mobile application security testing tools alongside bot management that integrates smoothly with web and mobile apps as well as APIs.