The mobile app security risk is growing
By Mandeep Khera, chief marketing officer, Arxan
For baseball players, it’s an MVP season; for actors, an Oscar; for musicians, best single or album. Every field has its ultimate accomplishment, a holy grail. Hackers have it too: online payment information which is not seasonal, but a gift that keeps on giving.
The more retailers, financial services companies, government agencies and others interact with customers through mobile apps, the bigger a target these apps have become for fraudsters who can resell the information on the dark web or use them to illegally buy goods.
Organizations must meet these risks head on if they want to protect their brands, keep mobile-related revenue flowing and continue to expand the mobile capabilities that are so popular with consumers. Yet despite widespread concern about security, they often are still ill-prepared for the dangers.
The very nature of the mobile payment process – with its multiple entities and electronic handoffs – gives rise to security issues. A transaction includes the acquirer, card issuer, payment card network and many others — between the consumer and the merchant – and cyber criminals can exploit each point.
Though many organizations work hard at securing networks and applications in their data centers, they tend to purchase technology that protects internal enterprise resources but which doesn’t adequately defend binary code once apps are on customer devices. Plain and simple, apps aren't as hardened as they should be once they're "in the wild."
Cybercriminals can easily decompile the binary code and steal credentials, insert malicious code, tamper with security logic, reverse-engineer applications or steal cryptographic keys in host card emulation (HCE) applications.
Organizations should know from years of experience protecting other IT assets that bad actors will evolve their techniques and come up with new ways to exploit mobile security holes. But unfortunately, too many enterprises aren’t doing enough to protect their mobile security investments.
Interestingly, impediments to better mobile app security often result not from technological barriers but from organizational and cultural ones.
For example, the popularity of mobile devices is increasingly pressuring companies to release apps as quickly as possible, and this "rush-to-release" mentality makes it all too easy to put code into production that has not been adequately tested for security vulnerabilities.
In some organizations, confusion exists over who even owns security within the development, testing and implementation process for mobile apps. Is it the chief security officer, or the application development team, or the head of product engineering, or the lines of business? In some companies, it can look like the baseball misplay when two fielders converge to catch a fly ball, one looks at the other and the ball falls to the ground.
Even in cases when lines of responsibility are clear, some organizations suffer from a lack of internal policies or rules that clarify security requirements.
Many organizations simply do not allocate sufficient budget to protect mobile apps. Or they only spend reactively – when a serious breach occurs or a hacking incident at another company gains widespread media coverage or when new governmental regulations are issued.
Organizations need to employ in-depth defense of their mobile apps – especially ones that are most attractive to cybercriminals due to potential monetary gain – but a consistent sense of urgency across companies and industries seems to be lacking.
Another factor that must be taken into account is that most users are oblivious about security issues on their phone apps. Many believe that smartphone providers include built-in security protection. But while some security functionality has been programmed in, it is far from perfect on these devices especially on enterprise applications that are prime targets for hackers like mobile banking and mobile payment apps.
Most malware targeting mobile payment applications makes its way onto victims' devices by tricking users to clicking on a text message, or by masquerading as an Adobe Flash app, popular game or some other utility downloaded through third-party app stores.
These Trojans typically start getting their hooks into the operation of legitimate apps, then overlay screens to mimic each of the apps they're meant to steal information from. When the user enters the information, it is sent off to the criminals' servers, the screen goes away and the malicious application allows the legitimate app to open up. The whole process looks genuine to the user.
Users should take basic precautions such as updating their operating system on a regular basis, installing anti-malware protection and not clicking on messages that appear remotely suspicious. Even if users are careful, however, cybercriminals can still hack into the binary code and steal credentials by decompiling and reverse-engineering applications.
The obligation lies with app providers to ensure their binary code is hardened with the right solutions. Application hardening techniques should be a standard part of the software development cycle, something which is usually done after testing and fixing vulnerabilities in the source code and just prior to the release of the app. Hardening techniques include obfuscation, which renders code into unusable nonsense to attackers, encryption, and other techniques to make it very difficult for hackers to steal the code and reverse engineer.
Cryptographic keys should be the main priority as they are used for key tasks such as binding devices to accounts and proving user identity. One of the most effective ways of protecting keys is white-box cryptography, and cryptographic key data in the Host Card Emulation solutions commonly used by payment apps were shown to be safeguarded even after 160 hours of independent intrusion testing.
Consumers should ask what security precautions their retailers, banks and others they do business with are taking at the application level.
For app providers and the mobile payments market, the stakes are high. Nearly three in four people who do not use mobile apps cited security as the main reason why, according to a Federal Reserve Board survey.
It would be a terrible shame if the industry let a lack of focus on mobile app security stand in the way of continued growth.