Application Security Is Getting Worse, Not Better

The app insecurity complex

Breaches cost money — potentially lots of money — and, in some instances, lives. One study estimates an average data breach cost of $3.86 million. But what price do we put on the lives risked when a recent Universal Health Systems breach caused its hospitals to re-route ambulances and cancel surgeries?

  • Create fake apps or clones of existing apps via reverse engineering to trick users into providing credentials and other sensitive data as well as access to accounts. This is also known as “tampering.”
  • Install bots to launch attacks on websites and perform online betting and other transactions
  • Install malware on the device or on others in its network. In the infamous WhatsApp malware injection breach, attackers exploited a VOIP (voice over internet protocol) vulnerability in the mobile app that allowed them to inject malware into phones simply by calling them.
  • Skim credit-card information
  • Inject malicious scripts for clickjacking and formjacking
  • Provide access to sensitive stored data — via the device’s operating system, the development framework, cookies and preferences, and other avenues for attack
  • Eavesdrop on API communications to steal the data in transit — also known as a “man in the middle” attack

In-app protection techniques

Securing your business and consumer applications — and the access to accounts and stored data they harbor — involves planning, foresight, and, yes, coding. When an app will handle very valuable data, or will typically run in insecure environments such as on consumer devices, in-app protection is your safest bet for securing it. Developers have many in-app protection techniques from which to choose; some are highly effective, while others are less so. Typically, they’re divided into two camps: prevention and detection. The first type aims to stop breach attempts from succeeding, and those in the second camp detect and react to intrusions after they have occurred.

Prevention

Code obfuscation: “Obfuscate” means “to hide,” something hackers are already good at as they try to prevent viruses and malware they have installed on systems from being analyzed, by hiding behind a “curtain” of junk code. Developers use obfuscation to scramble application code and render it, to the inexperienced eye, unreadable. As a result, static analysis and reverse engineering become much more difficult. Obfuscation techniques include renaming software components and identifiers, inserting useless “dummy” code as a diversion, breaking up the logical structure of the code, introducing software layers of access indirection, and stripping the app’s low-level functions of certain key components. It is also not uncommon to use encryption to hide parts that provide hints about their functionality (such as strings) too easily.

Detection

Dynamic analysis detection: This approach embeds a security system into an application so it can judge whether its current execution environment is controlled by an attacker. Dynamic analysis detection identifies dynamic reverse engineering attempts using debuggers, emulators, binary instrumentation engines (frida), or hooking (Cydia substrate) engines. These mechanisms detect anomalous environments and breach attempts in real time and can wipe the app’s user data, keys, and other information to deter attacks. They may also terminate the app itself, and alert the administrator to the incident.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CYBERCRYPT

CYBERCRYPT

We help companies develop secure products