Editor's note: This post was originally published in November 2021 in ThreatPost
Most users who install applications through legitimate channels such as Google's Play Store or the Apple Store do so with complete trust that their information is safe from malicious attacks. This makes sense because they're the official app stores across the globe.
However, despite tight security measures by Google/Apple, cybercriminals still find ways to bypass these checks. They do this through app impersonation. Since Android lets users side-load and install apps downloaded from non-store sources, cyber attackers take advantage by creating clone apps that mimic legitimate ones. They then use the fake apps to collect data or credentials for malicious use.
An example was when India banned TikTok. A clone called TikTok Pro came up immediately with malicious intentions to steal data from users' devices. Attackers also took advantage of Covid-19 fears to collect user data through fake tracking apps.
Cybercriminals are capitalizing on the remote-work trend as more companies allow employees to access business applications through mobile devices. Additionally, personal internet networks rarely have the kind of security measures available within an office environment, such as firewalls, which creates ample room for attackers to scrape business data.
Below we look at ways to identify app impersonation, tools to defend yourself from attacks, and measures to put in place for better security.
In addition to the examples given above, app impersonation occurs in many other ways. Remember, the sole nefarious intent of a cybercriminal is to access user data, backend APIs, and business information. Below are the two primary app impersonation methods identified:
Hackers have found an opportunity through cloning applications by creating similar-looking applications that impersonate legitimate ones. Hackers collect sensitive information such as banking details, credit card information, and biometric information through the cloned applications.
They use this information for malicious purposes like account takeover to redirect payments or syphon off rewards points. The objective may be as simple as to sell personal information on the dark web. As much as Google Play Store has implemented more robust security measures, they sometimes prove ineffective because this is purely a cat and mouse game; as soon as the rogue mobile apps get pulled out of the store, they come in again in another guise. Moreover, side-loading of apps is inadvisable but still happens, creating another attack vector.
API manipulation is a mechanism aimed at stealing business or personal data, or gaming a company’s business for commercial gain. It is carried out by exploiting vulnerabilities or bugs in the APIs themselves, or by using valid credentials which have been stolen from other businesses - or bought on the dark web - in order to access backend systems. Both attack vectors are based on scripts and use API keys which have been extracted from the mobile apps. Gartner's research estimates that APIs will be the leading attack surface by 2022.
These are three main methods that have proven effective defences against mobile app impersonation:
Many people believe that protecting mobile apps protects the APIs that they consume. Unfortunately this is false logic. In reality the genuine mobile app is a hacking toolbox for bad actors since they can use it to architect and implement fake versions of the app. Further, they can study the API requests/responses and quickly build a script which generates API sequences which are indistinguishable from genuine mobile app traffic. It is therefore important to consider API security separately from mobile app security. An effective API protection tool must be able to verify that incoming API requests are coming from genuine mobile app instances which are operating in uncompromised runtime environments.
Attackers know that if they can get a fake app installed on your mobile device, they can manipulate your intentions as well as extracting valuable business and personal data. Preventing fake apps from entering the official app stores is probably impossible, as is stopping users from side-loading apps from other sources, but what can be done is to ensure that none of these bad apps can communicate with your backend systems.
Mobile app attestation is a highly cryptographically secure method through which an app can be proved to be a genuine instance of the original app which was uploaded into the app stores. If this proof can be passed to the backend system along with each API call, it is possible to shut out all fake apps, regardless if they came from the app stores or through side-loading.
Penetration testing regularly exposes vulnerabilities by simulating potential attacks on your application to identify loopholes before hackers gain access to them. The best practice is to work with an external pentester because they're less familiar with your systems and can independently identify flaws more effectively.
There are two pentesting methods:
The best defensive tool against app impersonations protects user information as well as your APIs so you can focus on building better features and growing your platform. Approov integrates into your iOS or Android mobile app by installing an SDK that interacts with a cloud service which can verify the app’s authenticity. A short (~5 minute) lifetime token is passed to your API backend to prove that the API request is from a genuine source and meets all the runtime requirements. Thus every transaction is checked against a security policy that you define, providing an end-to-end security process for your app and your APIs. For more information on mobile app protection, sign up for a free trial of our API protection solution today.