Editor's note: This post was originally published in September 2021 in Threatpost.
There are two essential elements driving progress in today's digital-first economy: Mobile applications and APIs. An API (Application Programming Interface) is software that allows applications to communicate and exchange data with each other.
The growth in these two technologies has exposed users and their data to significant security threats, namely:
- Hackers can easily access devices through mobile apps.
- Unsecured APIs expose Personal Identifiable Information (PII) to potential attackers.
Mobile app security threats have arisen over the years. Below are some alarming statistics:
- In 2019, 93% of mobile transactions in up to 20 markets were found to be fraudulent and blocked.
- According to Microsoft, 60% of an organization's endpoints are mobile and unprotected. The pandemic has led to more teams working remotely and using their mobile devices for work. Research by IBM has established that remote teams increase the average costs of a data breach by $137,000.
8.19 million dollars is the average cost of a data breach.
How Bad Actors Exploit Mobile Attack Surfaces To Hack Your Device
Mobile applications work with the assumption that legitimate users use your app without malicious intentions. As a result, hackers will use attack surfaces to extract confidential information they can use to penetrate your device. There are five attack surfaces that bad actors target to gain access to your data:
- User Credentials
- App Integrity
- Device Integrity
- API Channel Integrity
- API and Service Vulnerabilities
The Process of Targeting Your Applications
A cybercriminal can launch an attack across the surfaces above through the detailed process we outline below:
Attack Preparation
There are four ways of preparing an attack:
- Acquire user credentials through phishing, spoofing, and data acquired through the dark web. This data is typically gained through data breaches and sold to shady web intermediaries.
- Attack the app's integrity to extract the API's information and abuse the app's business function.
- Abuse the device's integrity to acquire client information for malicious reasons.
- Tamper with channel integrity to intercept secrets and gain access to the app's logic.
Attack Execution
After preparing the paths to gain access and collecting information, these are the methods hackers use to execute their attack strategy:
- Use acquired information to construct valid queries and set up automated tools that target the API.
- Harvest data using new or commonly known loopholes such as fake application forms, links, and attachments containing malware.
- Abuse the API business logic to request more money from users or to push users to make false purchases.
- Interfere with the operation of the service to slow down or divert user requests.
- Use harvested information to tamper with the app and deploy a modified version to divert financial transactions, advertising revenue, or steal data.
7 Ways To Protect Mobile Apps and APIs from Attackers
Below are the best strategies to protect your mobile applications from hackers:
1. Prevent Insecure Communication
Approve secure connections only after authenticating the identity of the server request. To authenticate user identities, implement Secure Sockets Layer/ Transport Layer Security (SSL/TLS) protocols on the app's transport channels that scan sensitive data such as credentials and tokens.
You should also use certificate pinning and industry-approved certificates signed by trusted Certificate Authority providers to prevent self-signed certificates.
2. Validate Input Information
Input validation checks if credentials and login information is structured appropriately to prevent harmful code from accessing your app.
Validation takes place before a mobile application accepts the user's personal information. This process protects the app from attackers injecting destructive code into your app.
Input validation should also apply to your third-party vendors and partners. Attackers might try to hack your app by pretending to be your service provider or a trusted regulator.
3. Secure Your App's Storage
Your mobile app's data storage is another avenue that attackers can target. Vulnerabilities occur in storage places such as SQL databases, cookies, configuration files, and binary data stores. Additionally, dangerous actors circumvent poorly implemented security features by bypassing encryption libraries. A common avenue that attackers target is jail-broken or rooted devices. When the owner jail-breaks/roots their device, they undermine the gadget's in-built security, making it easier for hackers to gain access.
To protect your data stores from attackers, encrypt local files that contain sensitive information using your device's security library. You can also reduce the number of app requests and permissions to prevent apps from gaining access.
4. Secure your Code
To reduce insecure and low-quality code instances, apply secure coding practices such as the OWASP Secure Coding Guidelines and use status analysis tools such as MobSF to check the security of your work during the development process.
Maintain consistent, secure coding principles that do not result in vulnerable code.
Once your code is ready to deploy, don’t forget to apply an obfuscation tool such as ProGuard to place a cloak around your labors and keep prying eyes off it.
5. Implement Proper Authentication and Authorization Practices
There are multiple ways to ensure proper authorization and authentication to protect mobile apps from attacks:
- Always authenticate requests from the server's end. Authentication prevents malformed and harmful data from being loaded into the mobile application.
- Use encryption to safely protect the client's and your data, especially if the app requires access to the client's storage.
- Always verify permissions of authenticated users by only using backend data. Verification prevents attackers from using similar-looking credentials to gain access to your backend information and APIs
- Use 2-factor authentication to validate a user's credentials and identity.
6. Prevent Reverse Engineering from Hackers
Reverse engineering is one way that hackers apply to attack an app's integrity. To prevent such scenarios, limit the client's capabilities and retain most of the app's functionality to the server's side. For example, reduce user functionality and client-side permissions to prevent hackers from gaining access to your codebase. API keys are a security risk on their own and are difficult to hide in a mobile app. So protect their illegitimate use by ensuring that a second, independent factor is required by the backend server alongside the API key to mitigate the risk.
7. Protect Your Mobile Applications With Approov
Approov provides a run-time shielding solution that is easy to deploy and protects your mobile apps, APIs, and the channel between them from any automated attack. It effectively blocks the execution of attacks, irrespective of the already known vulnerabilities or those uncovered through testing. In addition, Approov API Threat Protection verifies your app's run-time safety and authenticity for optimum device protection.
For more information on Approov's API Threat Protection, try out our free demo today.