This is the third article in a guest blog series from Intellyx. Catch up on the first article here.
Maintaining a corporate cybersecurity posture means locking down its threat surface – all points of potential compromise that ‘black hat’ hackers might use to penetrate the corporate network. Of all these points of compromise, among hackers’ favorites are smartphones and other handheld devices. Every device is an open door for hackers, as they are replete with vulnerable apps that connect to back-end services and networks.
Hacking corporate assets via smartphones is surprisingly easy. Many anti-hacking security tools are useful hacking tools themselves in the wrong hands. Familiar security approaches like TLS encryption and code obfuscation are dead simple to get around.
Clearly, cybersecurity professionals must make a special effort to secure the devices in the hands of their employees, users, and the general public. The first step to this protection is to understand the risks.
Hacking Phones 101
Hacking individual users’ phones to steal their data or login credentials is bad enough. But the big prize for mobile device hackers is the ability to use the phone to access corporate assets, typically in the cloud.
Bad actors love to hack phones for this purpose. One of the main reasons they love handheld devices so much is because they have their own – and in most cases, it’s easy for them to download and install corporate applications on them.
Given the device is physically in the hands of the hackers, they can do what they want with it, including jailbreaking (on iPhone) or rooting (on Android). Both jailbreaking and rooting mean bypassing any vendor controls on the phone, enabling the hacker to run any apps or tools that they want.
For example, a hacker can run a tool like mitmproxy that gives them the ability to compromise the network security on the device, thus bypassing TLS encryption – opening the corporate backend to attack.
Hackers can also reverse engineer the apps on the device. Since they have full control of the devices in their possession, it’s a simple process to poke around inside the inner workings of an app to discern any secrets it may have.
Sometimes the attackers go after other users’ phones as well. Hackers have access to numerous tools like Burp Suite and Frida that ostensibly provide security teams with the ability to test mobile device defenses – but also give bad actors all the information they need to compromise users’ devices.
It may also be possible for the bad actor to jailbreak or root other users’ devices, thus bypassing any security controls on those devices – unbeknownst to the users.
Once hackers have control of an app on users’ phones, they can interfere with the operation of it and other apps, thus diverting ad revenues, compromising personal data, or perhaps worst of all, stealing API keys.
With stolen API keys the hackers can build scripts to attack back-end corporate services – with corporate security none the wiser.
The cybersecurity team will have implemented various protections – but they may not be up to the task of dealing with mobile device vulnerabilities.
For example, static and dynamic application security testing (SAST and DAST, respectively) are important components of any corporate cybersecurity strategy – but simply aren’t up to the task of protecting handheld devices.
Given the fact that hackers control their own devices, checking the software binaries on the device won’t slow them down. Obfuscating JavaScript also falls short because bad actors can simply run a deobfuscation tool.
Relying upon any security built into iOS or Android is also insufficient, as hackers can jailbreak or root a device – bypassing those controls and letting them install any malware they like.
It’s even possible for hackers to compromise apps as they are running by inserting malicious code at runtime – code that will bypass any tool that checks the apps before they launch.
Securing Devices – What Works
There’s only one approach that can mitigate the risks inherent in mobile devices: continuous end-to-end runtime checking.
This continuous runtime checking begins on the devices themselves. Dynamic Runtime Application Self Protection (RASP) from Approov, for example, verifies trust on the device, thus mitigating threats as they evolve in real-time.
Approov continually secures the devices at runtime by managing the behavior of applications as they run (rather than looking at the software itself).
In addition, Approov continuously monitors the back-end APIs that apps interact with, as well as the network channel between the devices and back-end services running in the cloud.
Security admins and developers can also configure the level of RASP for specific applications. For example, it may be acceptable for some games to run on rooted or jailbroken phones – while a financial services app developer may want to block all modifications to the device environment.
The Intellyx Take
As with other parts of the cybersecurity landscape, mobile device security requires constant vigilance.
New threats appear daily, and the hacker community is always looking for new attacks to attempt. As a result, any mobile device protection must constantly be on the lookout for new threats, rolling out updates promptly as necessary.
It’s also important to remember that mobile device attacks are constant, dynamic, and often ingenious. Hacking tools – and security tools that turn into hacking tools in the wrong hands – are plentiful and often free.
And for every 100 junior hackers satisfied with using existing tools to target known weaknesses, there is always one expert hacker crafting new, never-before-seen attacks.
Mobile device protection, therefore, must itself be constant, dynamic, and ingenious – and Approov fits the bill.
Subscribe to our monthly newsletter to get all the latest news in mobile security.
Schedule a live demo today!
Copyright © Intellyx BV. Approov is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used to write this article.