Mobile devices and the apps that live on them are finally being recognized as serious threats to enterprise security. Three-fifths of the senior professionals responsible for the procurement, deployment, and security of mobile devices say that they are their company’s biggest security risk, and more than three-quarters (76%) said they’d come under pressure to sacrifice these devices’ security for expedience, according to the 2021 Verizon Mobile Security Index.
By Tom Tovar, CEO and Co-creator of Appdome
Apps on these devices represent a serious security risk. Nearly one in ten organizations (8,2%) encountered malware on a mobile device in 2020, which was nearly four times more than in 2018. Additionally, one in 25 apps was found to leak sensitive credentials.
That’s important, because 49% of frontline workers and 57% of information workers are equipped with mobile devices, and almost nine in 10 of U.S. enterprises (87%) say their people will continue working from home at least part of the time once pandemic restrictions lift, according to IDC.
The implications for enterprises are clear: employees will be using mobile apps to do their jobs, and they’ll be doing so outside the firewall, which will require a new approach to security. After all, firewalls do a pretty good job of keeping unauthorized traffic from coming into the corporate network, but mobile devices are operating well outside that perimeter. Behind a firewall, to connect to servers outside the perimeter, users must first present themselves as real and authorized, and the server must also prove its authenticity.
Protecting Mobile Apps
Nearly all mobile devices must connect to multiple networks and servers in order to function. After all, it’s not too much of an exaggeration to describe a mobile app as a wrapper around a collection of APIs. Without a connection to services outside the corporate network, most mobile apps can’t function or, if they do function, it’s with limited capabilities.
Additionally, anyone can go get a mobile app, so long as it’s published on one of the many public app stores. No permission is necessary, and there’s no need to present who you truly are. At most, the user needs an email address, and those are simple to come by. As a result, the app must be able to protect itself, and not just from external threats. Improperly protected apps can be compromised by trojans and other malware that the user may inadvertently install on their device.
Because the data in an enterprise app is valuable to malicious actors, they contain information on your employees, URLs to back-end servers, secrets that enable the app to access those servers, and more. With this information, a hacker could penetrate the firewall, set up shop inside your environment, and move laterally across the network to infect and compromise valuable digital assets.
“But what about the app sandbox?” I can hear some readers saying, “Isn’t that a protected, sealed-off area where the app runs?” It is, but apps can request permission from other apps to interconnect. You’ve surely seen these requests, yourself, and if you’re like most users, you accept them without giving it much thought. Mobile malware preys on this tendency to gain access to enterprise apps and, if the data inside isn’t properly protected, it’s at risk.
To protect mobile apps, CISOs need to ensure that both proprietary and licensed business apps address the following common mobile app security weaknesses.
Weak or Incomplete App Hardening
Any mobile app’s first line of defense must be hardening the app by “shielding” it with Runtime Application Self-Protection (RASP) measures such as jailbreak/rooting prevention, anti-debugging, anti-tampering, and anti-reversing. All too often, these protections are implemented in a superficial manner — for example, an anti-tampering measure that only checks at app installation or is included in mostly un-obfuscated source code where developer tools can easily eliminate it.
Lack of Obfuscation
If the source code isn’t properly obfuscated, attackers can use common disassemblers, decompilers, and debuggers to reverse-engineer apps and reveal the source code. More sophisticated hackers can abuse dynamic instrumentation toolkits to inject code dynamically into memory while the app is running to change logic, functionality, state, and behavior.
In so doing, cybercriminals can learn how to launch devastating attacks on an organization’s back-end servers, obtain free services (such as free items that would normally require an in-game purchase) and create effective trojans that look and feel like a genuine app.
Weak or Insufficient encryption
Many apps fail to encrypt sensitive data stored within them sufficiently, and some even forgo encryption altogether. It’s not difficult to access API keys and secrets if they’re stored unencrypted as strings within apps, and, unfortunately, that’s frequently the case. For example, hackers can also intercept login credentials in the clear when they traverse a network to log into their bank account via the app.
Encryption is a standard security measure, but it’s difficult to do because it can break sharing authentication and authorization with other apps and servers if not properly implemented. Additionally, the many different varieties of key size and strength, cipher strength, and encryption algorithms differ. It’s difficult to know which will provide sufficient protection without degrading performance if you’re not an expert. After all, encryption is a resource-hungry activity, and if it’s not performed efficiently, an app can slow to a crawl.
Securing These Exploits is Difficult
To ensure that apps can protect themselves in the wild outside of the network perimeter, the enterprise needs to ensure its apps employ a layered approach to security. Apps must be sufficiently hardened to prevent tampering, debugging, and reversing. Data must be encrypted both in transit and at rest, and dynamic key generation techniques must be applied to data that will be stored in the app sandbox. Certificate validation must be employed to protect against man-in-the-middle attacks, and code must be properly obfuscated to hide it and the secrets it contains from prying eyes.
Given the difficulty, too many enterprise apps are released without proper security. And that’s a serious mistake, especially since it’s no longer necessary to manually encode software. Software development kits (SDKs) do provide some security, though the quality varies, and integrating them still requires a significant amount of manual coding. More recently, fully automated platforms have emerged that can fuse strong security to an app binary in minutes.
However, a CISO chooses to ensure their apps are secure; they must be protected because, in the world of mobile apps, there is no firewall.
About the Author
Tom Tovar is CEO and co-creator of Appdome, the mobile industry’s first no-code mobile security solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and services provider that was acquired by Akamai; and chief compliance officer and VP of corporate development and legal affairs at Netscreen Technologies. He began his career as a corporate and securities attorney with Cooley Godward LLP.
Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.