Cybersecurity - Addressing Security Issues for Mobile Applications
All IT-enabled businesses today are moving toward Artificial Intelligence (AI) driven personalized digital experiences for their customers. This implies a critical need for customers’ trust in the underlying technology. At the same time, it has been observed that cybercrime is growing at an alarming rate and is shaking customers’ trust in enterprise applications.
In the BFSI domain, mobile devices have emerged as soft targets. They often carry high value, confidential data of upper-end users, can be connected to the Internet, and have powerful processors to run the apps. Such attributes make mobile phones easy targets for professional hackers. Organizations must have a robust incident monitoring and response plan to minimize damages and recover from cybersecurity incidents.
Cybersecurity: Current State
As per Identity Theft Resource Center’s (ITRC) report, the total number of reported data breaches increased by 40% from 781 incidents in 2015 to 980 incidents in 2016. The number of incidents is already at 1022 as of September 21, 2017. The total number of records compromised in the financial sector during 2017 is already touching 2,780,837 from mere 71,912 last year. This clearly indicates that the financial sector is now a focused target for cybercriminals.
Mobile: Hackers’ Prime Focus
Cybercriminals today are highly skilled and resourceful. They primarily target mobile phone users for data, identity, and gaining remote access for further attacks. The goal of a hacker is to identify logical flaws and weakness in technologies for unauthorized access using various techniques including:
Binary Code Analysis
Reverse engineering to understand the binary
Embedded identities and key-generation routines
OS Exploits and Vulnerabilities
Data being sent or received from a server
Crash logs, network, and system error logs
Key stores used for encryption
Application file system and database (SQLite etc.)
Configuration profiles, digital certificates etc.
There are primarily three attack vectors for mobile apps: Network, OS vulnerabilities, and Malware. These are used to launch attacks on larger groups of targets and have far-reaching implications. Today, malware programs are the most commonly used mode for cyberattacks.
Threats on Android
Hiddadis an Android malware that tampers with legitimate apps published on third-party stores. Attackers use it to gain access to user data.
HummingBadis another Android malware that uses rootkit method to install malicious applications such as keylogger, and can even penetrate enterprises security to access confidential email.
Ztorgis a Trojan that uses privilege escalation to install applications without the user’s knowledge.
Threats on iOS
AceDeceiveris an iOS malware developed to exploit design flaw in FairPlay (Apple’s DRM system) and install malicious apps on iOS devices. This “FairPlay Man-In-The-Middle” attack was initially used in 2013 for pirated apps, but has now transformed into a channel for spreading malware.
Pegasusis an iOS malware that scans the target device and installs additional software for listening to calls, capturing camera, recording login keys, and accessing contacts, emails, and messages. It is like a Swiss army knife for hacking. Its capability can be judged by the fact that it can disguise itself and even destroy itself if it finds the target to be uninteresting.
Few Noteworthy Cases of Mobile Data Breach
Some of the major data breach incidents on mobile are outlined below, providing a glimpse into the extent of compromised security and underlying threats.
Gooliganis a variant of the “Ghost Push” family of malware that uses Towelroot and VROOT Android OS exploits to inject malicious code into Android system processes in order to gain root access. It is known to affect various versions of Android OS 4 and 5, which made up 74% of the devices in the market during fall of 2016.
FalseGuideattack started in November 2016 but became evident in April 2017. It was found embedded in guide applications for popular mobile games, including Pokémon Go, and is known to have affected two million users. Over 600,000 users were tricked by it into joining Android botnet that could be used to launch DDOS attacks.
BankBotis a banking Trojan that targeted customers of over 400 banks including Citibank, ING, ABN, Rabobank, ASN, RegioBank, and BinckBank, among others. BankBot was also able to intercept text messages and delete them from the victim’s mobile in order to bypass 2FA security implemented by banks. It is reported that BankBot’s code was leaked through an underground forum, and experts fear a spike in the number of mobile attacks based on enhanced versions of the leaked code.
Implications of Data BreachIt is hard to put a dollar figure against any data breach because the loss is more than monetary. It includes associated intangible losses such as those of reputation, brand value, and customer trust. Experts are of the opinion that less-obvious costs like increased insurance premium start showing up a little late.
Case of Sony Data BreachThe Sony data breach included employee login details, e-mails exchanged between employees that revealed their viewpoint on prominent personalities, information about executive salaries in the company, and critical details on company strategy. Two employees also filed a Federal court complaint against Sony Pictures for not taking enough precautions to keep employee data safe. Analysts at Macquarie Research put the estimated cost of the data breach at USD 83 million, but the loss that went unaccounted was Sony’s strained relations with people and businesses that it worked with.
Case of Yahoo Data BreachIn the last quarter of 2016, Yahoo reported that over 500 million user accounts were compromised, causing a major embarrassment for the company. Following the breach discloser, Yahoo’s valuation dropped from USD 4.8 billion to USD 4.48 billion during its sale agreement with Verizon.
Mobile Security TrendsAccording to Gartner, mobile attacks are increasing and the biggest concern is mobile malware, as a majority of such attacks is attributed to malicious software. Mobile users often visit compromised websites and install apps from sources other than Apple and Google stores. While sensitizing users on information security is important, it is also necessary to implement mobile application security in a way that is both strong and easy to use.
Security vs. UsabilityThe bulk of mobile apps these days has a deficient approach to addressing information security, because the apps offer neither reliable protection nor an aesthetically pleasing interface. According to Verizon, 63% of the attacks in 2016 involved compromised passwords. We see that, passwords can turn problematic as they can be stolen in scalable attacks. As an alternative, stronger security methods like OTP are safe but inconvenient.
The divide between security and UX can be addressed by mobile device’s hardware features like fingerprint scanner. This implies that users are compelled to trust original equipment manufacturers (OEMs) like Apple and Google. This may be debatable from a privacy perspective because Google gathers a good deal of our data for monetization, whereas Apple’s business model relies on selling phones rather than data, thus allowing better balance of security in its design. The security challenge then moves to taking reliability to the service provider authentication at the backend.
App Security by DesignMobile apps must have security in the design and this must be built earlier in the development cycle, not as an aftermath of penetration testing result. Mobile developers should adapt to secure coding practices and leverage the recommended approach to deliver trustworthy apps.
The goal of mobile app design for the enterprise must be focused on mitigating the risk of exposing sensitive data through a compromised mobile app. This can be achieved by minimizing the amount of data exposed through the functionality delivered to the user. “Secure yet easy to use” is a crucial ingredient of great mobile app