Why adopting security measures is now an imperative and not a choice for all the enterprises developing Mobile Apps
Apple’s App Store distributes over two million apps. Google’s Play Store has a stash over almost four million apps. And while the majority of developers have good intentions there are some who, either intentionally or accidentally, create significant security issues for end users and the companies who rely on those apps.
Perhaps the most common way in which user data is compromised is through apps that have permissions they don’t really need. Thanks to the Cambridge Analytica scandal that hit Facebook earlier this year, the importance of understanding app permissions is well and truly in the public consciousness. And that means developers need to be more aware of what they are asking users to hand over in order to use applications.
Some of those permissions are obvious to users. For example, if an app asks for access to location data and you can’t see a good reason for providing that information then you can make a decision to either deny the application access to that data or to not install the application at all. The trouble is, on a modern smartphone that may have dozens of apps installed, controlling permissions for microphones, cameras, GPS radios and personal information can become complex.
Adding to the challenge is research that demonstrates, clearly, that seemingly harmless data can even be used for unintended purposes.
Researchers from CSIRO’s Data 61 division have been able to identify users based on how they tap, swipe and even hold a smartphone. Touch-based tracking was used to identify individual users who shared a single device with a success rate of more than 90%. An app capturing that data could correlate it with personal information to give someone significant insight into how a device is used. (Reference: Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking, Proceedings on Privacy Enhancing Technologies ; 2018 (2):122–142)
Controlling access to the data an app can access is only one side of the coin. Even if an app uses data for one purpose, it is possible for that data to then be used again. This was a significant issue recently revealed by the developers of a firewall tool called Guardian App (https://guardianapp.com/ios-app-location-report-sep2018.html).
A recent technology report found 90% of apps surveyed had at least two of the Open Web Application Security Project (OWASP) top ten major security risks. Half of all businesses don’t allocate a separate budget for mobile app security.
When it comes to mobile app malware, one of the most potent vectors used by threat actors is app imitation. For example, one canny malware maker created an enhanced camera app that purported to take better pictures. And, as a camera, it asked for seemingly legitimate access to the camera and microphone. But buried in the app was the ability for those devices to be activated remotely by SMS and send the recordings to an FTP server. And the software was smart enough to ensure those messages were invisible to the user.
That allowed the bad guys to record and film users without being detected.
Other mobile malware targets personal information and there are key-loggers and other tools that allow criminals to collect data that can be used for financial gain.
The good news is developers and users are increasingly aware of the challenges. Developers are aware of the importance of using encryption and users are being more thoughtful about what permissions they allow apps to have.
Gartner’s Laurence Goasduff recently said relying on client-side checks is not enough. It’s imperative that app permissions are locked down, applications are hardened and that companies look for third-party expertise for security development and testing. And this needs to happen hand-in-hand with better user education.
This is especially important as, for many people, smartphones and their larger sidekicks, tablets, have become a quick replacement for a laptop. And while the apps on smartphones are different to their desktop and laptop counterparts the rise in functionality wasn’t matched in security terms.
For enterprises developing mobile apps, it’s imperative to choose development and deployment platforms that minimise the risks of data being leaked. For example, Quixxi Security assesses applications and lets you conduct penetration testing. It also ensures malware can’t access your or the data they handle by putting a secure encryption wrapper around applications. Assumptions are killers when it comes to security. Developers can’t assume perfect user behaviour it’s better to put a lock on the application door than just assuming people will not break in.
Quixxi Security Scan assesses applications so you understand what vulnerabilities they have, allowing developers to improve their app so it has as few vulnerabilities as possible. Quixxi Security Shield puts a secure encryption wrapper around applications so malware can’t access them or the data they handle. So, while your applications work as intended, your app becomes impervious to attack by even the most committed of attackers. Quixxi Security Sight is a suite of tools that helps you manage mobile application licensing as well as tracking how applications are used once deployed to the app store and downloaded by users. Quixxi Sight even allows a security assessment of the security status of the mobile device, including scanning the device for Malware – from inside your shielded App.