Application Security
Smartphone Security: Combatting App-Level Attacks
Despite a surge in cyberattacks on smartphones, security awareness about mobile devices falls behind traditional computers. Ellen Daniel speaks to Winston Bond, EMEA Technical Director at Arxan Technologies, about what more needs to be done to improve smartphone security
Earlier this year, it was reported that messaging app Whatsapp contained a security flaw that could allow hackers to install spyware onto the phones of unsuspecting users.
Although the flaw was quickly fixed by Whatsapp, the incident, which could have enabled hackers to gain access to the devices of targeted individuals, demonstrated how serious an app security flaw can be in the wrong hands.
The number of attacks focused on smartphones has increased significantly of late, with research by Check Point revealing that they rose by 50% in 2019 compared to last year.
And if successful, smartphones provide attackers with access to a treasure trove of personal information.
While going without antivirus software of some kind on a PC is unheard of for many users, according to the 2018 Internet Access Survey, 24% of smartphone users across all age groups do not know whether they have smartphone security software installed.
However, cybersecurity threats not only come in the form of malicious apps themselves, but in the security vulnerabilities of otherwise trusted apps.
Despite users’ habit of storing sensitive information on the numerous apps within their smartphones, many of these contain security vulnerabilities that leave data at risk of exposure if an app is compromised.
According to Arxan Technologies, an American tech company specialising in application attack prevention, cybercriminals can exploit mobile apps by reverse-engineering them to expose code and steal customer identities, intellectual property or gain access to back office systems. This can range from finding ways to cheat in a game, or in the case of banking apps, commit financial fraud.
But how do those behind popular apps protect themselves from this growing threat?
“There's a big gap” in mobile app security
Arxan conducted a two-year study in which over a million Android apps were analysed, and researchers found 2,040 potential counterfeits that contain malware in a set of 49,608 apps that showed high similarity to one of the 10000 most popular apps in the Google Play Store.
Winston Bond, EMEA technical director at Arxan Technologies, tells Verdict Encrypt that during its two-year study, the company has assessed the ways in which app developers are protecting apps from malicious actors.
“We've been going and looking at selected and anonymised apps off the app stores to see what they do to look after themselves, and what kind of measures they incorporate into their apps to stop other people or other apps trying to get access to the data those apps are storing,” he says.
“Frankly, the bottom line of the report is we're a bit disappointed really. There's a big gap. A lot of people aren't doing very much.”
“Frankly, the bottom line of the report is we're a bit disappointed really. There's a big gap. A lot of people aren't doing very much.”
According to Arxan, mobile app security refers to the tools in place to protect mobile applications from reverse-engineering, tampering and other app-level attacks.
Bond explains that due to the sheer number of apps available through different stores, with an estimated 2.7 million apps currently on the Google Play Store, those that are vulnerable to attacks can slip through the cracks despite efforts to prevent this.
“Neither Google nor Apple or anybody else is ever going to be able to have a perfect filter, given the hundreds of thousands of apps there are, there's always going to be something that slips through their system,” he says.
“Google and Apple, do as good as you can realistically expect to have catching these things. But they are trying to do scans of hundreds of thousands of apps coming in to go on their stores. And it's not that hard for somebody to sneak something in that does something that you don't want. They're trying to search all of these apps and all the code in all of these apps for some backdoor, or something that is doing what it shouldn't be doing. So to catch them in advance as they come in.”
A “mobile app vulnerability epidemic”
He explains that the threat comes from two main sources.
“There are cases where you have apps trying to reach out from inside their own app, which appears to do something useful, but it's doing things you don't want it to be doing under the hood. That's the malware type use case or example,” he says.
“And then another thing is just the users or hackers, where it's an individual person trying to break something. Cheat at a game or work out how a bank is moving money around and doing nefarious things with it.”
The second category is the one that Arxan is concerned with preventing. A lack of binary protections, insecure data storage, unintended data leakage or weak encryption have led to what Arxan describes as a “mobile app vulnerability epidemic”. In other words, flaws in the coding of an app can make it possible for it to be changed or reverse-engineered.
This means that attackers may be able to access the code or data stored within the app if it is not adequately protected.
“If you have a high profile, high value, legitimate app, that is handling payments or people's personal information, it basically needs to look after itself.”
According to a study by Positive Technologies, 76% of apps examined as part of its Vulnerabilities and Threats in Mobile Applications 2019 research were shown to have insecure data storage, while 35% demonstrated insecure transmission of sensitive data.
This suggests that while many apps offer a sleek user experience, insecurities remain.
Although the number of nefarious apps may be small compared to the total number being added to app stored every day, it is enough to be dangerous.
“Letting a few hundred through in percentage terms is probably not very many. But that's enough,” says Bond.
“Or even you have the apps where it does what it says on the tin and it's not doing anything nefarious, but perhaps you may not want that to be happening. And it might take you by surprise. Our concern is that a lot of high-profile apps should be doing more to protect themselves.”
According to a study by Arxan, a worrying number of consumer financial applications have "widespread security deficiencies". The study found that 97% of all apps tested lacked binary code protection, making it possible to “reverse engineer or decompile” the apps.
Bond believes that in this setting, it is imperative that an app’s security is water-tight.
“If you have a high-profile, high-value, legitimate app, that is handling payments or people's personal information, it basically needs to look after itself. You've got to assume you're in an environment where there's dodgy stuff around. You've got to assume that there's something else on the phone that may not be acting entirely above board.”
“Be extremely careful about what you install”
But how can app developers ensure that app security is maintained? Bond explains that there are a number of tools that make this possible.
“There's a lot of scanning tools available, which will look at your app and see what it is vulnerable to. And whether it's vulnerable, certain kinds of apps, there are products, which look for malware from inside your app…App protection, code hardening, runtime applications, self-protection. So the idea being that your app looks after itself,” he says.
“Having the self-protection tools that we have, we had the ability to inject things that will send messages back about what's going on to that app on that device. So 99 times out of 100, nothing much really – it's all good. And then the one time out of 100, it'll start to tell you when something is trying to change the application.”
“It's about trust when you install an app on your phone. That's an act of trust.”
Although it is essential that app developers ensure that security vulnerabilities are removed from applications, users can also take steps to protect themselves.
Bond urges them to exercise caution when downloading anything onto their device, offering the age-old advice that if something seems too good to be true, it probably is.
“Any individual user going out on to the Play Store, I think it's just like any other shopping environment. It's about trust when you install an app on your phone. That's an act of trust.
“So have a look and don't suspend your disbelief. If it all sounds too good to be true, it probably is too good to be true. Just like any other shop at any other shopping mall. It's just the online version of a marketplace.
“Install or enable the antivirus tools on your phone. Rule number one is be extremely careful about what you install.”