We're Hiring!

The Mobile Attack Pyramid

Egyptian pyramids; text 'The Mobile Attack Pyramid' between two horizontal lines

Editor's note: This post was originally published in July 2021 in Cyber Defense Magazine.

A regular pyramid has 5 surfaces, 4 sloping ones and another as its base. In this article we will walk through the mobile attack pyramid, discussing each of the 5 attack surfaces and recommending best practice for protecting them.

An attack surface is the sum of all points that an unauthorized actor targets to access a mobile application's backend. A hacker's primary goal is to automate an invasion on the app's API by scanning all attack surfaces to explore vulnerabilities and collect data such as the API's keys and business logic. With this information, the attacker designs a programmed attack on the application.

There are five interlinked attack surfaces that cybercriminals target, which we outline below.

Attack Surface 1: User Credentials

Hackers steal credentials such as emails, usernames, phone numbers, IP addresses, and passwords through spoofing, phishing, and large-scale data breaches. Spoofing is where someone disguises themselves as a legitimate source to collect personal information for malicious reasons. Phishing involves sending an email that contains a harmful link or attachment that contains malware. 

Despite the best efforts to protect the login process, hackers still bypass security measures such as biometrics and 2-factor authentication using social engineering tricks to access devices and receive authentication codes. 

Another way cyber criminals steal credentials is when users log into fake applications. These apps target popular activities such as betting and gaming.

Attack Surface 2: App Integrity

A critical mobile application characteristic is the integrity of its code. Hackers attacking the integrity of a mobile app seek to do three things:

  1. Extract information they can use to launch an attack on the app's API using a different tool.
  2. Gain identity keys to reverse engineer how the API works and abuse the API's business function. Reverse engineering is the most popular way cybercriminals attack a mobile application.
  3. Transform the application into an attack tool to divert the user's payments or advertising revenue to their accounts.

To protect an application’s integrity, developers need to determine the validity of requests received at the API’s server. Such requests come from various sources such as bots, automated scripts, or manual access through your API's backend.

Attack Surface 3: Device Integrity

Rooting/jailbreaking is a common technique used by bad actors to bypass a gadget's pre-installed security features in the original version of the operating system. Some mobile device users root or jailbreak their devices for legitimate reasons. For example, a user might want to install customized applications, while others may want to load apps unavailable in the manufacturer's app store. Despite these legitimate reasons, tampering with a device's integrity exposes it to attackers because the in-built security is compromised. This weakness extends to your mobile apps now that they're running in an unprotected environment. 

Another method hackers use to attack your device's integrity is tampering with your code. During run time, they inject harmful code into the app using an instrumentation framework. These frameworks are linked to critical functions to manipulate input data, output results, modify user interactions or produce different app behavior.

To protect device integrity from such attacks, implement run-time self-defense code in your mobile app. This code detects instrumentation frameworks and also identifies rooted/jailbroken devices.

Attack Surface 4: API Channel Integrity

In most cases, channel integrity is compromised when the communication channel between the mobile app and API is exposed through public Wi-Fi connections. This channel is the primary attack surface that bad actors target. Despite applying TLS/SSL protocols to encrypt internet traffic for secure connections, bad actors can still use Man-in-the-Middle (MitM) attacks between the mobile app and the API server to steal data and read API queries/responses.

The primary purpose of MitM assaults is to hoodwink clients and the server that they're communicating with – in reality, a third actor is impersonating both ends of the channel. Hackers apply MitM tactics to research the communication channel between a client and the API's server to determine which attack strategy applies. Channel avenues that hackers research to apply MitM attacks include:

  • Understanding API protocols in use to extract code to impersonate authentic traffic rhythms.
  • Obtaining API keys in transit to insert scripts to convince the server that the communication is coming from genuine client interaction. 
  • Extracting user credentials or authentication tokens in transit to embed them in scripts that persuade the server that the communication is from a trusted user.
  • Manipulating transaction requests made through the API such that the action requested from the server is different from that initiated by the remote client.
  • Exposing API vulnerabilities, e.g. Broken Object Level Authorization (BOLA), to exploit them to access information not typically available to a given user.

To protect your channel's integrity, certificate pinning is best practice because it makes traffic interdiction much more difficult. A step beyond TLS, certificate pinning is used to further lock down the connection.

Part of the TLS protocol requires the presentation and checking of public keys between the mobile app and the backend server or endpoint. These keys or certificates are accepted by the mobile device if signed by a recognized Certificate Authority (CA) and if that authority exists within the device's CA trust store. Any MitM tool, such as mitmproxy, will present its own key to the mobile app which will not be accepted since it is not signed by a CA which is contained in the mobile device’s trust store.

With pinning in place, the supplied key needs to be signed by a CA in the mobile device’s trust store AND it needs to match one of the set of certificates which are encoded into the app itself. For the hacker, this means that the app needs to be modified to change the stored certificate set.

Attack Surface 5: API and Service Vulnerabilities

There are three common goals a hacker looks to achieve when they target an API with an automated tool:

  • Login system attacks – Attackers apply brute methods such as credential stuffing to test stolen credentials and their validity on the API. If they work, these credentials are utilized to access API information.
  • Data theft – Cybercriminals also use APIs to steal personal data from user accounts such as files, photos, and credit card information. Theft is done through data scraping, exploiting BOLA and any other vulnerability to manipulate personal identity data. 
  • Denial of Service (DoS) – A DoS attack targets the availability of the endpoints to render them unusable for genuine requests by overloading the API endpoint with malicious API requests, thereby making the mobile app go offline. 

Approov is a leading mobile API security service that helps organizations establish safe interactions for their mobile applications. To find out how we can help you protect your customers and build trusted business channels, contact us today or sign up for a free demo.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.