Your Mobile App Security Guide: Averting Common Threats

In terms of mobile security, this year has been a turbulent one for the business world. According to the latest Mobile Security Index report by Verizon, 39% of organizations experienced a safety incident that involved a mobile or IoT device, compared to 33% in 2019 and 27% in 2018; in two cases out of three, the financial, reputational and regulatory consequences were major.

This increase is particularly distressing given that today businesses are more attentive to their security and less likely to sacrifice mobile protection for the sake of expediency or convenience. On the one hand, it can be attributed to a spate of activity from cybercriminals, who took advantage of the growing importance of mobile amid the lockdown and the pivot to telework. On the other, we shouldn’t rule out the possibility that this amplified security awareness affected the final percentage, as it allowed companies to identify incidents as specifically mobile-related. The truth is, as always, likely to lie in the middle. 

To understand the mobile security landscape better, let’s look into the safety risks that plagued consumer and corporate mobile applications this year.

Phishing is a social engineering type of attack where trustworthy entities are replicated or imitated to convince the victim to open a malicious link or message or submit personal information in other ways. Phishing scams appeared in the 90s and remain the most persistent security threat of today.

To keep their exploits successful against the evolving defense mechanisms, hackers constantly come up with new complex phishing schemes. Email applications would be an obvious ground for a phishing scam, but with companies implementing filtering tools and users growing warier of suspicious text communications, cybercriminals had to diversify their delivery mechanisms. Moreover, most companies use a DMARC record generator tool to ensure proper email authentication and security. Of late, mobile apps earned their special attention.

As a result, 87% of successful mobile phishing attacks occur outside of email, state the 2020 Mobile Threat Landscape Report by Wandera. Cybercriminals exploit social media, messengers, retail apps, productivity tools, and mobile games. There has also been a rise in phishing scams targeting banking apps: in one case, the fraudsters went as far as modifying a Spanish bank app to steal user credentials and upload it to the App Store. CEO fraud is another novel type of phishing scams where cybercriminals impersonate senior executives and ask employees to make a corporate funds transfer.

Why is mobile phishing particularly effective? For one thing, smartphone screens are smaller, so it’s harder to see the difference between the official app page and a fraudulent one. People also tend to operate mobile phones at a higher speed and log in credentials almost automatically. What is more, there are many techniques for disguising malicious URLs and presenting them inconspicuously, such as punycode or homoglyphs.

Malware is malicious software that aims to gain access to sensitive data or undermine a device’s functionality. Today, malware comes in all shapes and sizes: from adware, an annoying but harmless solution that displays unwanted advertisements, to ransomware that steals sensitive data for ransom, to spyware that allows hackers to monitor a device owner’s activities.

Cryptojacking is a novel type of attack that has already managed to affect many via the mobile channel. This malware utilizes an infected device’s resources to mine cryptocurrency, draining its power and resources. In the long run, cryptojacking may disrupt operations and undermine a company’s performance.

With official app stores growing more stringent about the app quality and security of submitted apps, cybercriminals are forced to come up with imaginative ways of spreading malware. Some upload their malicious apps to non-official stores, disguising them as an entertaining or useful solution in hope that someone keen on sideloading or jailbreaking will download it. Recently, hackers learned to make the malware ‘elusive’ so that it stays dormant for weeks and months or until triggered.

Others may seek out weak spots in popular apps’ new versions or updates, leaving no brand invincible. In May of 2019, hackers exploited a WhatsApp vulnerability to run a malicious code that allowed them to inject spyware into victims’ phones via a simple call. Around 1,400 users of the app’s 1.5 billion audience were affected before the company urgently released an update that patched the security fault. 

Wi-Fi connection is another risk point for users of consumer and business mobile apps. While access points at home or in the workplace can generally be trusted, it’s easy to come across a rogue or unsecured access point in public spaces, such as hotels, cafes, airports, supermarkets, etc.

Such connections are fraught with security risks of varying degrees of severity. Gaining control over a poorly secured hotspot or using a fake one, hackers may intercept mobile traffic via a man-in-the-middle attack and steal app credentials, confidential documents, and other sensitive information.

Another attack scenario is malware injections. Intercepting the web server’s unencrypted response before the user gets it, cybercriminals insert the hidden malicious code into it, which goes on to undermine the mobile application and then the entire device.

Aware of the risks, 48% of companies prohibit employees from using public networks for work, while 65% ask to use VPN over a public network, the 2020 Verizon Mobile Security Index discovered. Still, according to the 2020 Wandera report, 7% of users connect to insecure access points each week. One may do it out of critical necessity, for instance, when stuck in an airport with no other connection but a public hotspot. Others break the rules being too certain of the Wi-Fi network legitimacy, but since rogue hotspots assume the name of well-reputed companies and brands, they are impossible for an untrained eye to tell apart from reliable ones.

A lost smartphone is a fact of life, albeit not a pleasant one. Yearly, thousands of personal and corporate mobile devices get lost or stolen, and a fair share ends up in the hands of someone who can make use of the owner’s identity or the sensitive information the phone stores. Even though this type of attack is the most obvious to mitigate and prepare for, 20% of companies consider their defenses against mobile theft or loss inadequate, as Verizon found in their report.

Sometimes, criminals don't need to take hold of the mobile phone — a few minutes with an unprotected device can be enough to plant malicious malware. Since most people tend to consider their workplaces a safe zone and don’t hesitate to leave devices unattended, such an attack can easily occur in a large open-space office.

Juice jacking is another common cyberattack that requires physical access to a mobile phone. By tampering with a USB charging station in a public place, a cybercriminal can leak passwords and data from the plugged devices or install malware onto them. Given that 40% of business travelers and 28% of personal travelers often rely on public charging ports according to IBM’s Cybersecurity Threats Growing in Travel and Transportation Industries study, juice jacking poses a viable threat to many people.

The security of customer mobile apps is another source of deep concern for businesses. For one thing, retrofitting an app with multiple advanced protection layers is bound to not only make it cumbersome and diminish its user-friendliness but also to prove expensive to maintain. Over and above, no brand can compel their customers to observe the necessary security precautions or install monitoring solutions.

To safeguard customers from mobile security troubles without subjecting them to limitations, companies need to balance the following strategies: security-first development, continuous refinement of the app source code, and customers’ security education.

A dismaying number of mobile apps are released with inherent vulnerabilities because developers tend to treat security as an afterthought. By integrating software security testing into the development lifecycle, you will build a high-quality mobile app that is resilient to mainstream hacker exploits and stay sustainable in the long run.

Creating a secure-by-design application begins with analyzing domain- and functionality-specific security risks and collecting security requirements. At the design stage, the team should conduct threat modeling to understand how attackers could compromise the software. In their turn, the engineers should implement relevant security controls into the source code and continuously review it for weak spots.

Before releasing the solution to the general public, the app is once more subjected to an all-round security assessment, where all the vulnerabilities in the source code and gaps in the protection mechanisms are detected and mended.

In case you want to outsource the creation of your branded mobile app, it’s recommended you seek out a dedicated development team that not only has relevant skills and experience but also prioritizes the security-first approach and leverages best security practices.

Solid source code is not enough to render your customer-facing mobile app impregnable. Down the line, the default security controls may grow outdated and inefficient against evolved exploits. There can be bugs undermining the app’s integrity, too. For this reason, you need to closely monitor the app’s security health and new types of cyberattacks to safeguard it against threats.

Security patches, a set of corrections in the source code, are great tools against imminent security risks. A patch, however, is a single solution to a single issue, usually not a major one. When your mobile app is ridden with security loopholes which make it a permanent target of exploits, or if it employs subpar security controls, then an upgrade is required.

Regrettably enough, your efforts to render your mobile app secure might be thwarted by none other than your customers. Your team may equip the application with sophisticated in-built security controls, but your customer might simply turn off multi-factor authentication for the sake of convenience and fall victim to a mundane exploit. Or you might release critical patches and updates but customers, unaware of their importance, fail to install them, as was the case with the WhatsApp spyware incident. One month after the attack announcement, 20% of devices remained unpatched.

That’s why it is important to educate mobile app users about efficient security practices and why following them is important. Since you can’t hold full-scale security training for each of your customers, you should devise a format that will be both informative and unobtrusive. It is also necessary to keep mobile app users in the know about emerging attacks and how they may look like, as well as providing an escalation if necessary.