How to be sure that your mobile app is not a gift for cybercriminals
In today’s technology-obsessed world, mobile apps are taking over our lives. According to comScore’s 2017 Cross Platform Future in Focus report, the average person spent 2 hours and 51 minutes on their smartphone every day and 90% of this time is spent in apps.
With the rising popularity of mobile apps, it is worth it for every business to have one. Regardless of what business you do, mobile apps are useful in reaching new customers and keeping in contact with the old ones, they help to increase customer loyalty and improve brand visibility.
Cyberthreats to your businesses, a 5Pro Software’s View
However, any technology has a flip side. Researches show that cyber thieves have become more sophisticated and the cybercrime industry is rapidly growing.
As a security professional company with more than twenty years’ experience in the industry, we at 5Pro Software can assert that it doesn’t matter whether you are a small or a big enterprise – everyone can become a victim of cyber attacks. Here are several companies that experienced recent security breaches, which compromised their customers’ sensitive information:
Starbucks App users were getting hundreds stolen from their bank accounts. The Starbucks mobile app lets customers pay at checkout with their phone.
The app can also reload Starbucks gift cards by automatically drawing funds from bank account, credit card or PayPal. Criminals were siphoning money from Starbucks customers by breaking into their Starbucks accounts online, adding a new gift card, and transferring funds over [link].
Tesco Bank has revealed that the «unprecedented» attack on its online accounts at the weekend resulted in the loss of £2.5m. It has been revealed weaknesses in the bank’s mobile applications left the door open for cybercriminals to take customers’ money [link].
Zomato, an online restaurant discovery and food delivery service, has suffered a security breach with over 17 million user records stolen from the food-tech company’s database. The stolen information has email addresses and hashed passwords of customers [link].
These examples are just a few of the thousands of cyberattacks that occur each year around the world and affecting millions of customers. However, it seems that for many businesses, security is still an afterthought. As a proof of this, a lot of apps was hacked by WhiteHat Security firms. Here are several examples which show how unsecured remote systems are:
Last year, a British seсurity firm, Pen Test Partners LLP, managed to remotely hack the Mitsubishi Outlander through a malicious wifi hotspot [link].
Such a hack gives criminals total control of the vehicle. And Mitsubishi is not only one! Researchers revealed more bad news for connected cars: eight vulnerabilities spotted in Subaru WRX STI app [link], Hyundai Motor America patched its Blue Link Mobile application for several vulnerabilities [link].
Furthermore, the University of Michigan, in collaboration with Microsoft tested Samsung’s SmartThings platform, a networked home system that’s in hundreds of thousands of homes. What they found allowed them to develop four attacks against the SmartThings system. Upon Investigating the 499 SmartApps, they found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren’t meant to possess [link].
Ken Munro, a cybersecurity researcher, has claimed that an app that lets Aga cooker owners remotely control their ovens could be hijacked by hackers. The problem affects the way the mobile app communicates with the cookers. Munro found this system can easily be hijacked, letting hackers send messages to Agas not belonging to them in order to turn them on or off [link].
Why do cyberattacks happen? Top 3 myths companies believe
The most common mistakes by companies in cybersecurity lie in their approach. A study by IBM & The Ponemon Institute shows that, 50% of those that develop mobile apps do not allocate any budget at all to testing the apps for security vulnerabilities [link].
According to recent studies, only 5.5% of the company’s annual budget on mobile app development is allocated to mobile app security [link].
Myth #1: We are secured cause we have the best developers
Many companies also believe that having a good development team is key to success.
Definitely, the security should be an integral part of development process, but we should divide these two categories, developers –
If the whole cybersecurity budget lies in the hands of IT, it’s likely that they will fully invest in tools, then solely rely on those tools for information security.
Myth #2: We are too small to be hacked
Too many assume that their business is too small to be attacked or vulnerable, but cybercrimes can be targeted and they can also be blanketed in approach.
A cyberattack on a smaller enterprise is unlikely to get anywhere near the level of publicity garnered by the hacking of a multinational corporation, but this doesn’t mean there aren’t many successful attacks against small firms on a daily basis.
If you are SME and your app handles personal or sensitive user data or functions, which allow to do some manipulations on the phone – you are a coveted prize for
Why? That’s simple: it takes less time and less skill to hack you.
Myth #3: We don’t have important information or sensitive data. Why should we worry?
Another myth in which more companies trust is that they are not interesting to hackers, because they don’t have sensitive information.
But, please, remember that through the app cybercriminals can get access to your backend server. Often, backend APIs and interfaces for mobile apps are developed chaotically with poor security design. In such cases, a mobile app is used as the key to more damaging backend/cloud attacks.
From our experience, there was a case with a big audit company that was a victim of cyber criminals. The company’s application allows to plan and book meeting and events. The app was hacked and through backend servers hackers received access to the company’s clientele database.
Unfortunately, these false beliefs stand in the way of taking measures to protect the mobile application. Neglecting security, you pack your app in vulnerabilities wrapping paper, which hackers love the best.
More threats to businesses?
The biggest mistake that a company can make in regards to cybersecurity is not taking the situation seriously. When nobody is paying fines everybody is relaxed.
However, as you may know, in 2018 EU GDPR starts to operate. Under this regulation the company owner of a mobile app will face a penalty up to 4% of its annual turnover, if the mobile app is hacked and third parties gain access to personal data of users.
Organizations have many reasons for taking a proactive approach to address information security concerns. Those who are aware how big this risk is order GDPR data flow audit, but it does not have anything in common with Penetration testing. Only a complete Pen test can show the severity of the problem.
What is the most vulnerable in your app? a 5Pro Software’s top
Our Penetration tests show that one of the biggest issues is low security awareness among mobile app developers. Lack of basic security hygiene has been identified in the course of performing most of the tests.
For example, one of the well-known apps under test contained a confidential API document included in the app bundle just by mistake.
Furthermore, approx. 90% of the app tests performed in 2016 failed to pass basic security tests, namely the OWASP Mobile Top 10 Checklist.
Based on 5Pro Software’s Pentesting in 2016, Top 3 technical security issues are:
1. Lack of anti-reverse-engineering protection
In 35% of security audits performed, lack of binary protection allowed a potential hacker to gather a lot of intelligence, including:
- API design (for building proprietary API client/emulators)
- Flaws in authentication design
- Hardcoded secrets, comments, or even confidential documents included in the app bundle
2. Weak authentication protection
In 20% of security audits, lack of basic anti-brute-force protection allowed enumerating passwords or PIN codes. Given that many services work with PIN codes due to usability reasons, specific user accounts can be hacked within a reasonable amount of time.
3. Misconfigured backends and servers
In 25% of security audits, among other findings, the team identified multiple backend vulnerabilities, such as the use of outdated software or vulnerable components.
How to protect your application?
First and foremost, you should not consider cybersecurity a cost center but rather an added value to your business. Customers expect products and their data to be safe. In an appropriate way, a firm’s ability to provide security is becoming a key source of value.
No doubt, mobile application security can be affected through many variable means, however, these vulnerabilities can be eliminated by improving security in certain key areas. Approximately 80% of the risk facing your organization from the majority of cyberthreats can be minimized drastically by embedding basic information security practices.
Certainly, the easiest and cheapest time to fix any software errors, including security vulnerabilities, has long been understood as during development.
But what if you already have an app?
Penetration testing is a key component of a security assessment. If you want an independent first security baseline for your mobile app you can order a Quick Check, which will show you all identified major vulnerabilities. Usually at this stage many serious vulnerabilities are already found.
Mobile security and protection companies offer Quick check at a price range of € 4000 up to € 6000.
At 5Pro Software, our standard approach is to perform a Quick Check for free.
We implement a test from the hacker’s perspective – we act as hackers will act If they want to hack your application. If critical security flaws do appear, we can then support you in implementing your necessary cyber hygiene.
One more important thing to remember – you’re not done after you launch your app. Hackers work fast. Every new update should have been checked for vulnerabilities.
So, regular security audits/penetration tests are recommended for systematic maintenance of the highest security level.
What is the purpose of this Paper?
There are three main conclusions we would like you to focus your attention on:
- Almost every mobile application tested by 5Pro Software has a critical or high vulnerability.
- Lack of anti-reverse-engineering protection, weak authentication protection and misconfigured backends and servers are the biggest problem areas nowadays, with a high proportion of critical and high rated problems to be addressed.
- Investment in these areas will offer the most return on investment.
The idea is to prepare for the worst and count yourself lucky if you escape unscathed.
We at 5Pro Software are always here to help you and provide the consultancy concerning the mobile app’s security, don’t hesitate to contact us.
Are you still sure your mobile app does not have vulnerabilities? Let’s make a bet that we can find them 😉