We're Hiring!

Capitalising on Uber's London Misadventure

London street view showing traffic; red telephone box in foreground

Rival Cab Companies Are Quick to Move, But Cyber Criminals May be Quicker

Transport for London (TfL)'s decision not to renew Uber's license to operate in London has been well publicised and, as it often happens in such cases, one party's loss is another party's gain. But who the short term gainers might be is not as obvious as first appears.

Users of the Uber service were naturally outraged at TfL's decision and many of them, so far over 850,000, expressed their feelings by signing an online petition. However, they also recognised that, just in case this decision is not overturned on appeal as many spectators think it might, they need alternative cab options to transport them around the UK's capital.

Predictably, those many regular Uber users have sought out and downloaded mobile apps belonging to rival companies, and here's where it gets interesting. According to a recent article which can be read here, there has been an immediate pick up in detected instances of malicious mobile apps which purport to belong to those rival companies. The rival companies of course are completely innocent in this game. It's not clear from the article how many of those malicious apps have been available in the app stores for some time and how many have been published since the TfL decision was made public on September 22nd. However, any that have been placed in the app stores in the last 2 weeks are clear evidence, as if it were needed, that the bad guys are both sophisticated and smart.

What's the Point of These Malicious Apps?

These fake malicious apps deceive consumers because they look very much like the real thing, right down to using the company logo in many cases. If you are not paying close attention, you can easily get fooled into downloading and installing them. You might think that the genuine companies would have the fake apps removed from the store and they do. However, this process can take 1-2 weeks and, for popular apps, they are no sooner removed that they appear again in a slightly different form. It's a never ending game.

As suggested in the InfoSecurity article referenced earlier, you should only use official app stores and you should also check the number of downloads to ensure you identify the genuine version. However, the mere existence of fake apps confirms that they are an effective vehicle for cyber criminals to do their worst.

There are a number of exploits which criminals might execute using fake apps. The app may have no purpose other than to deliver a malware payload which infects the mobile device. Such malware may be used to extract data from the phone, serve unwanted advertising, or even gain control over key system functions.

Credential stealing is another possible attack vector – since the consumer may enter his/her username and password into the app. These can be harvested and then reused in automated attacks against other enterprises, a practice known as credential stuffing.

Finally, the fake mobile app may in fact be using the genuine app's API in order to access backend assets. By creating a modified version of the app, the cyber criminal can utilize all of the mechanisms which the app uses to identify itself to its backend server. These mechanisms are usually based on secrets, such as API keys, which are commonly stored in the app itself. Therefore, spoofing the app lets the criminal hide behind the security inherent in the app, saving him/her a lot of trouble. Penetration of the network periphery is very hard to prevent in such cases because the traffic on the API is correctly formed and contains genuine user and app identification credentials. API abuse is something that we have written about extensively; here is one example from our blog pages.

Gaining Immunity from Malicious Apps

So far we have talked about what consumers need to do in order to protect themselves from malicious apps, but businesses who rely on their consumer mobile apps need to be vigilant also.

In a sense the existence of fake mobile apps is a form of flattery; if business isn't good and you aren't visible then the criminals won't target you. That said, businesses should always prepare for success – and therefore it is important to consider the issue of fake apps and how you can best protect your business against the damage they can cause.

Now, you might consider that malware infection of mobile devices and credential harvesting are not issues which directly impact the business of the genuine app owner so they don't matter too much. However, the user community can be fickle and can quickly turn against companies who they don't think are doing enough to take down fake apps which cause the end users inconvenience. Damage to brand reputation quickly has a negative effect on revenue.

API abuse, on the other hand, is a blatant attempt to circumvent payment or to exfiltrate valuable competitive or personal data. It is without question the most significant type of fake app behavior and preventative strategies such as bot mitigation must be put in place for it.

So, yes, enterprises must be vigilant and monitor the app stores for bogus apps, but this is neither sufficient nor is it foolproof. It is important to remember that the traffic generated by a fake app on the enterprise's API will be identical to traffic generated from a genuine app, making detection very difficult. Behavioral approaches which analyze the traffic are available but they have a tough job and they run the risk of false positives which will block genuine revenue-generating users – an enterprise's worst nightmare.

App legitimacy is what is needed here. In other words: establishing the authenticity and integrity of the mobile app, without using embedded secrets stored in the app, before accepting traffic from it. User authentication is a well established method for the remote user to identify himself/herself to a backend server; what we are proposing is software authentication to sit alongside it. You can find a more detailed explanation of this here.

The Uber example, and its impact on the volume of fake app instances relating to other London cab companies, shows just how fast and how sophisticated today's cyber criminal is when it comes to exploiting dynamic events in the market. For businesses where mobile is a significant channel, protecting your revenue means protecting your brand, and that means protecting your mobile app and API.

Considering the various attack vectors which have been discussed in this article, it should be clear that API abuse is a very real thing. The way to prevent it is to not only know who you are communicating with, but what you are communicating with.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.