As mobile devices become increasingly popular in the workplace, so do attacks targeting mobile apps. In fact, according to a recent 2021 cybersecurity study by Checkpoint, 46% of organizations had at least one employee download a malicious mobile application threatening networks and data. What is mobile app shielding and how can it help protect businesses that rely on mobile apps?
One of the attack vectors that is becoming more common is reverse engineering, and it's a serious threat to businesses and consumers alike. Here's how it works:
First, attackers take an existing app and try to figure out how it works, for example the relationship between UI actions and the API requests that the app generates
Then, they reverse-engineer the code and design, looking for API keys and other hard coded secrets; any vulnerabilities they can exploit in fact
Once they find a weakness, they either subvert the app's security to build a modified (fake) app to suit their purpose, or they use the knowledge they have gained to create a script which impersonates genuine app traffic and connects directly to the API.
This type of attack is especially dangerous because it can be tough to detect until it's too late and because in some cases it bypasses the app completely, essentially negating any protection you have there. That's why it's essential to be aware of these approaches and take steps to protect yourself.
Challenges with App Hardening Protection Techniques
There are a few app hardening techniques that you can apply to protect your mobile app from reverse engineering, such as obfuscation and encryption that make it harder for attackers to expose the app's logic and access API keys and other secrets. However, while these techniques are effective, they are not perfect, and suffer from the following challenges:
Attackers can reverse-engineer almost all code: Almost all code can be reverse-engineered, given enough time. Hardening tools simply stress the attackers' patience and encourage him/her to try another app. Further, if an attacker uses a dynamic hooking tool to attach to the app process, they will likely be able to access the secrets they seek when they are in motion.
Device and channel integrity: Mobile devices are inherently less secure than servers, and the API data channels are also less secure. Since the mobile app and the device it's running on is remote and outwith the control of the organization, it can't be trusted. This makes it harder to protect data in transit from the app to the server against man-in-the-middle attacks and to ensure that the app is running on an uncompromised device.
Attack surfaces are different for mobile: Mobile apps have a significantly different attack surface to server-side or web applications. This is because your mobile apps contain a lot of sensitive business data and logic, and they can be downloaded and studied by anyone. This makes applying security best practices from the server and web applications ineffective. Mobile has unique challenges which require dedicated security solutions.