The problem with distributing apps through vendor and third party stores
is that there are different levels of security offered to developers who
distribute their apps through these venues
Mobile banking is now a way of life for the
connected people. It also presents a lucrative
opportunity for criminals to commit
fraud. One of the easiest ways to breach
into a victim’s portal is through malware and apps
which require excessive permissions.
According to a report by RiskIQ criminals are using
look-a-like banking apps to distribute malware and
capture data on the device in order to commit crimes.
The company found that more than 40,000 (or 11 per
cent) of the 350,000 apps which reference banking
in the world’s top 90 app stores contain malware or
suspicious binaries.
Of the more than 40,000 mobile apps listed in the
report as suspicious:
21,076 contained adware
• 20,000 contained Trojan malware
• 3,823 contained spyware
• 209 contained exploit code
178 contained malicious JavaScript
Ajay Khubchandani, Senior IT Security Expert, ESS
Distribution Pvt Ltd (official distributor of ESET products
in India) predicts that attacks on online payment systems
and net-banking will increase as it is widely used
by people and businesses for managing their finances.
“As the usage of virtualization by home users and
SMEs increase, the attacks on them increase too. Various
service networks for web performance, optimization,
analytics, personalization, etc. will be increasingly targeted
via both sophisticated attacks (i.e. code injection of
specific customers) and unsophisticated attacks (DDoS),”
he further added.
The Best Defence
The best way to tackle these issues is to apply a
layered approach by implementing different techniques
within each layer. Here are some of the key steps you
can take to strengthen app security using currently
available technology.
App in Stealth Mode
Deter attacks by making it difficult for attackers to
understand the app workflows. This can be achieved
through implementing reverse engineering resistance
using data obfuscation (Hiding original data with
random characters, and anti-debugging capabilities.)
Always make sure that the apps don’t run on smartphone
emulators by using strong device binding/fingerprinting
resistant to spoofing.
Open source OS like Android can easily be breached
so it’s always better to create your own security libraries,
which avoids being exposed to standard OS vulnerabilities
that are often easily available and promoted within
the public domain.
Data Protection
Don’t rely on standard Android or iOS mobile software
development kits (SDK) to safeguard your app data
and always use alternative proprietary secure storage
based on data obfuscation. When a Secure Element is
not available, the security library should store the
most sensitive data, e.g. encryption keys, in nonobvious
locations and enable the location to be
changed regularly.
Secure your Communication Channels
Use ‘certificate pinning’ to protect communications. This
checks a server’s certificate against trusted validation
data to confirm the source is safe. A copy of this
certificate is then ‘bundled with the app’ to provide
stronger authentication in the future. Additional
protocols can also be used to improve resistance against
man-in-the-middle attacks
Attack Detection
Use anti-malware and sentinels built into the app to
enable attack detection and defensive reaction. This
method can be used as a two-line defence, where the
app can either react immediately or harvest data about
the attack before enforcing its defences at a seemingly
random point.
According to Sethu S Raman, Chief Risk Officer,
Mphasis, “Cyber-attacks are pretty different from that of
the physical world attacks. Many times we may not know
our enemies and where are they based. In a recent case,
the forensic team found that he was one amongst us but
perpetrating these activities. It is not simply installing
some anti-virus, or putting some spam filters and few
other security software which generally is a trend in corporates.
There has to be a thought out Security Strategy
which is aligned with the corporate strategy and the IT
strategy of the company. A proper risk assessment of the
information assets of the organization should be done
which should dictate the development of a comprehensive
security architecture.”
Man-in-the-middle Attack
Last year a serious security flaw affecting approximately
1,500 iOS apps was detected. This made them vulnerable
to hackers looking to swipe passwords, bank account
info and other sensitive data, according to a report by
security analytics firm SourceDNA.
App store needs to be Secure
The problem with distributing apps through vendor
and third party stores is that there are different levels
of security offered to developers who distribute their
apps through these venues. Some app store operations
are highly secure and demand that developers meet
rigorous standards before their apps can be offered,
while others’ standards are less stringent. The result is
that app stores are susceptible to a variety of security
and related problems, such as the distribution of copycat
apps and malware distribution. Also, some applications
are vulnerable to a variety of security problems as they
are not well written.
The fragmentation in the Android space, which is
significantly greater than iOS, contributes to the mobile
malware problem because cybercriminals can impact a
large proportion of Android users who are using older
and less secure versions of the operating system.
To Conclude…
Every organization that distributes mobile apps via app
stores should implement a robust mobile app security
solution to protect their brands, trademarks and other
intellectual property. Adhering to security best practices,
such as keeping away from untrustworthy apps and app
sources, will reduce the risks considerably.
No comments:
Post a Comment