We're Hiring!

Mobile App Security Myths

golden dragon statue used to symbolise a myth

Mobile app usage has grown significantly in recent years, and with this growth comes an increased need for mobile app security. Unfortunately, many mobile app developers hold misconceptions and myths about mobile app security, which can lead to a false sense of security that can result in security breaches and compromises of sensitive information.

We will cover a range of myths including the belief that mobile app stores guarantee secure apps, that Android mobile apps are more insecure, that iOS is more secure, and that using HTTPS to call the API backend is enough to ensure security. Additionally, we will explore the myth that only popular and public-facing apps require security measures and the belief that only root or jail-broken devices are a concern in terms of mobile app security.

In this blog post, we will explore these common myths surrounding mobile app security and provide a more comprehensive understanding of the truth behind them. By debunking these myths, we hope to increase awareness of mobile app security and promote best security practices for mobile app developers to achieve robust and resilient mobile applications in terms of security. The order in which they are presented below does not carry any significance, so let's examine and debunk some of the most common myths.

 

Myth #1: Only popular apps are targeted by hackers

Explanation

There is a belief among some developers that only popular mobile apps are targeted by hackers. The reasoning behind this myth is that hackers go after mobile apps that have a large user base because they offer a greater potential payoff in terms of sensitive data or financial gain. However, this is not entirely true.

Discussion

Although it is true that popular mobile apps are often targeted by hackers, less popular apps are not immune to attacks. In fact, some hackers may specifically target less popular mobile applications as they may have weaker security measures in place, making them easier to exploit. It’s called going after the low hanging fruit. Would you rather pick-up that orange at the top of a high tree?

Reality

For example, in 2017, a group of researchers from the University of Michigan found that several Android apps contained security flaws that could allow attackers to remotely access user data, including email addresses and location information.

Furthermore, hackers are always on the lookout for new and emerging mobile apps that may have a security weakness. This means that even mobile applications with a small user base can be targeted by attackers, especially if they deal with sensitive information like financial data, healthcare information, or personal details.

Conclusion

Keeping security in mind is crucial while designing mobile applications, irrespective of their level of popularity. While popular mobile applications may be targeted more frequently, less popular mobile apps can still be vulnerable to attack. Developers should prioritize security in their mobile app development process, regardless of their app's popularity. Don’t be that developer that says (real quote from someone I know): “Who would want to hack us?”

 

Myth #2: Only Android apps are vulnerable to security issues

Explanation

There is a widespread belief among developers that security issues only affect Android apps. The myth that Android is more susceptible to security breaches than iOS stems from the belief that Android's open-source nature makes it more vulnerable to security threats than iOS, which is a closed-source operating system. Nonetheless, this is not entirely accurate.

Discussion

While it's true that Android mobile apps have historically been targeted more frequently by hackers due to the open-source nature of the platform, iOS mobile apps are not immune to security issues. In fact, both Android and iOS apps can be vulnerable to security issues, and each platform has its own unique set of vulnerabilities.

Reality

For example, in this article from 2019 we can read that Zerodium, a security exploit broker, was offering a higher price for zero-day attacks targeting Android than those targeting iOS, marking the first time this had happened. The same article mentions that during 2019, there had been a rise in the finding and sale of iOS exploits, specifically Safari and iMessage chains, by researchers worldwide, which made the market for zero-day iOS exploits become so saturated that some have had to be refused by Zerodium. In contrast, the security of Android was consistently improving with each new release, largely due to the efforts of Google and Samsung's security teams. This made it increasingly difficult and time-consuming to find full chains of exploits for Android, and even more challenging to find zero-click exploits that do not require user interaction.

On the other hand, Android mobile apps are often targeted due to the prevalence of third-party mobile app stores and the fact that Android users can sideload mobile apps from outside the official Google Play Store. This makes it easier for hackers to distribute malicious mobile applications and target Android users.

Conclusion

It's important to remember that both Android and iOS apps can be vulnerable to security issues. While each platform has its own unique set of vulnerabilities, developers should prioritize security in their app development process regardless of the platform and their perceived security. Don’t be that developer that limits the security of his mobile applications based on the marketing claims by OS platforms providers and mobile devices manufacturers. Do your due diligence and go above and beyond in terms of mobile app security.

 

Myth #3: Mobile App stores guarantee the security of their apps

Explanation

There are developers who hold the belief that mobile app stores, such as Google Play Store or Apple's App Store, guarantee the security of their mobile apps. The assumptions behind this myth is that app stores have strict security policies in place, which should ensure that all mobile apps available for download are safe and free from malware. Nevertheless, this is not entirely true.

Discussion

While app stores have security measures in place, they do not guarantee the security of all apps available for download. In fact, there have been several instances where malicious mobile apps have made their way onto app stores, despite the security measures in place.

Reality

For example, in 2019, several Android apps on the Google Play Store were found to contain malware that allowed attackers to show ads and sending back data about the user’s device. The mobile apps had been downloaded over 8 million times, since July 2018, before Google removed them from the Play Store.

Similarly, in 2019, 17 iOS mobile apps were removed from the App store after the Jamf’s researcher team discovered they were infected with clicker trojan malware. The clicker trojan module was found to perform ad fraud-related tasks, such as clicking links or opening web pages without user interaction. The trojan's primary objective is to generate revenue for the attacker through pay-per-click schemes or by draining a competitor's ad budget. 

Conclusion

In conclusion, app stores do not guarantee the security of all apps available for download. While they have security measures in place, malicious mobile apps can still make their way onto app stores. Developers should take responsibility for their own mobile app security by prioritising security during the mobile app development life cycle. Also, don’t believe that this is fire and forget, or the bullet may ricochet and hit you later.

 

Myth #4: Only jailbroken or rooted devices are at risk

Explanation

The belief that only jailbroken or rooted devices are vulnerable to security threats is held by many developers. The rationale for this misconception is that it is only  the act of jailbreaking or rooting a device that can circumvent the device's inherent security features, thereby exposing it to potential attacks.

Discussion

Despite the fact that jailbreaking or rooting a device can remove built-in security features and leave the device vulnerable to attacks, non-jailbroken or non-rooted devices are still at risk of security threats.

In fact, many security threats can affect both jailbroken or rooted devices, as well as non-jailbroken or non-rooted devices. These threats include malware, phishing attacks, and network attacks.

Reality

For example, in 2020, a new type of malware called EventBot was discovered that targeted Android devices. The malware was designed to steal sensitive user information, such as banking credentials and other financial data, without the need for the device to be jail-broken or rooted.

Similarly, phishing attacks can target both jailbroken or rooted devices, as well as non-jailbroken or non-rooted devices. These attacks can trick users into revealing sensitive information, such as usernames and passwords, by posing as legitimate websites or apps.

Conclusion

Jailbroken or rooted devices are not the only ones at risk of security threats. While jailbreaking or rooting a device can remove built-in security features and leave the device vulnerable to attacks, non-jailbroken or non-rooted devices are still susceptible to security threats. Developers should take steps to protect their mobile apps from running in such devices but also provide protection in all cases anyway.

 

Myth #5: iOS is completely secure, so you don't need to worry about security on iPhones.

Explanation

The reasoning behind this myth is that Apple has a reputation for prioritizing security and privacy in their products, and that iOS is a closed system that is less vulnerable to security threats compared to open systems like Android. Moreover, Apple has a reputation for having more strict app review policies than Android. The mobile app review process at Apple is designed to ensure that all apps available on the App Store are safe and free from malware.  However, this is not always perfect, because it is a known fact that attackers can still slip through this process.

Discussion 

In spite of iOS being generally considered to be more secure than Android, it is not completely secure. Hackers and other malicious actors are constantly looking for vulnerabilities in iOS that they can exploit. In fact, there have been several high-profile security incidents involving iOS devices in recent years.

Reality

For example, in 2016, a group of hackers tried to gain access to the iPhone of a prominent human rights activist by attempting to trick him to click on a link in a text message, which they didn’t succeed. The he activist sent it to be analysed by CitizenLab which uncover Pegasus, a spyware targeting iOS up to 14.7, that is also capable to target Android, and continues to be actively developed since 2011. The hackers used a zero-day exploit, which is a previously unknown vulnerability, to try to install a spyware named Pegasus on the activist's iPhone. You read more about it in the Wikipedia page for the Pegasus spyware.

Similarly, in 2019, Google's Project Zero team discovered a series of exploits that were being used to target iOS devices. Earlier this year, Google's Threat Analysis Group (TAG) uncovered a small group of hacked websites that were being used to launch indiscriminate watering hole attacks on their visitors using iPhone 0-day exploits. These attacks did not target specific individuals, and simply visiting the hacked website was enough to trigger an attack that could install a monitoring implant on the user's device. It is estimated that these sites received thousands of visitors per week. During the investigation, TAG was able to collect five separate, complete, and unique iPhone exploit chains, which covered nearly every version of iOS from 10 through to the latest version of iOS 12. This suggests that the group behind the attacks had been making a sustained effort to target iPhone users within specific communities for at least two years.

In another example, in 2020, Apple fixed a vulnerability that allowed hackers to execute malicious code remotely on a user's device through receiving a simple text message to acknowledge the delivery of an iMessage. This vulnerability had been present in iOS for several years, and it affected all versions of the operating system from 12.4.1 up to the release of 13.2.

Although Apple is generally quick to patch vulnerabilities when they are discovered, there is still a risk that a zero-day exploit could be used to compromise an iOS device, which highlights the fact that even well-designed operating systems like iOS are not completely secure. Additionally, developers must be aware that users can still inadvertently compromise the security of their iOS devices by downloading malicious apps that find their way through the Apple vetting process, or by clicking on phishing links, which may or not end-up in a compromise of the developer mobile app.

Conclusion

While iOS is generally considered to be more secure than Android, it is not completely secure. Developers should be aware that there is always a risk of zero-day exploits being discovered and should take steps to minimize the risk of being targeted by hackers on their mobile apps.

 

Myth #6: Using HTTPS to call the API backend is enough to secure a Mobile App

Explanation

A common misconception exists among developers who believe that their mobile app is secure because they use HTTPS to call the API backend. The thinking behind this myth is that HTTPS is a secure protocol that encrypts data in transit and protects against eavesdropping and man-in-the-middle attacks. However, this is not entirely true.

Discussion

Though HTTPS is an important security measure, it does not guarantee the security of a mobile app on its own. HTTPS only protects the data in transit between the app and the API backend. It does not protect against other types of security threats such as vulnerabilities in the app's code, attacks to instrument the mobile app code at runtime, and others.

Reality

For example, in 2019, it was found that the Guard Provider app developed by Xiaomi to safeguard its users against malware ironically poses a security risk, as Check Point's researchers discovered. Due to the unsecured nature of network traffic to and from the Guard Provider app and the use of multiple software development kits (SDKs) within the same app, cybercriminals can conduct Man-in-the-Middle (MiTM) attacks when users connect their vulnerable devices to wireless networks.

Similarly, if an app is using an insecure version of the HTTPS protocol or if the certificate used for HTTPS is compromised or misconfigured, an attacker may be also able to carry the MitM attack to intercept or modify the data in transit.

Furthermore, even if the mobile app is using a secure HTTPS protocol with a properly configured and not compromised certificate, an attacker could still intercept the HTTPS traffic by using a man-in-the-middle attack as shown in the article How to MitM Attack the API of an Android App. This would allow for the attacker to extract sensitive data such as usernames, passwords, credit card information and learn how the mobile app communicates with the API backend in order to build a bot for it or just to know how to perform manual requests as if he they were made by the mobile app itself. 

Similarly, if the backend server is not properly locked down only to genuine instances of the mobile app, an attacker could gain access to the backend by using what he learned from the MitM attack and compromise the app's data and functionality, or simply extract data from it.

In addition, there are other security threats that HTTPS does not address, such as social engineering attacks, malicious code injection, and insecure storage of sensitive data on the device.

Conclusion

Using HTTPS to call the API backend is an important security measure, but it is not sufficient to guarantee the security of the app. Developers should implement additional security measures such as secure coding practices, input validation, access control, and data encryption to ensure that their app is secure. It is also important to regularly test the app for vulnerabilities and update it with security patches to address any new security threats that may arise. You can read more about best practices for mobile app development in the article: Mobile App Security Best Practices.

 

Summary

Mobile app security is crucial for ensuring the protection of sensitive information and data in our increasingly connected world. Unfortunately, there are several myths and misconceptions surrounding mobile app security that can put users and their data at risk. In this blog post, we have discussed and debunked the top mobile app security myths, including the belief that iOS is completely secure, or that HTTPS guarantees the security of a mobile application.

To ensure the security of mobile apps, developers must understand the real risks and threats facing mobile apps today. This includes regularly testing the app for vulnerabilities, implementing strong authentication and authorization measures, using encryption to protect sensitive data at rest and in transit, keeping the app and its dependencies up to date, and following best practices for mobile app security, which you can do by reading our article on Mobile App Security Best Practices.

By following the best security practices for mobile apps, developers can protect their mobile application against security threats and ensure that mobile apps remain a safe and convenient way to access services and information on-the-go. It is important to stay vigilant and informed about mobile app security risks, as the landscape is constantly evolving, and new threats are emerging every day. It’s not enough to keep up to date, to be vigilant mobile app developers must have real time visibility of the threats faced by their mobile apps.

Cover photo by Martin Woortman on Unsplash
  

 

Paulo Renato

Paulo Renato is known more often than not as paranoid about security. He strongly believes that all software should be secure by default. He thinks security should be always opt-out instead of opt-in and be treated as a first class citizen in the software development cycle, instead of an after thought when the product is about to be finished or released.