The concept of mobile application security is becoming an increasingly important topic but what exactly does the topic entail and why is there so much recent interest?
In short, mobile application security consists of the methods and technology utilised in order to prevent attacks and protect applications that are running on mobile devices.
What are These Threats & Where do They Come From?
Hackers and fraudsters have started to move their focus away from targeting traditional websites and instead are beginning to focus on high-value applications that are used to make or accept online payments and access online banking portals. Studies have shown that in the second quarter of 2018, 39% of all fraudulent transactions originated from mobile applications.
This is a stark contrast to 3 years previously when it was only a mere 5%; a 600% increase. To further exemplify this, 46% of all fraud conducted in the financial services sector is believed to come from mobile applications.
Therefore, mobile application protection and security should be considered a core focus for a range of industries in order to prevent widespread fraud that has the potential to negatively impact consumer confidence across the board.
Despite this obvious need for investment in application security, the amount that has been invested thus far is only a small percentage compared to what organisations spend on their traditional approaches to cybersecurity.
In 2014 organisations invested just under $11.5 billion on firewalls, intrusion prevention systems and web gateways compared to $500 million on application security, despite applications and the data contained inside them containing the more valuable assets.
The intrusion landscape poses a range of risks ranging from sophisticated programming and hacking to identify and exploit and weakness in an app, through to something as simple as downloading a toolkit for malware and targeting an app without making any direct changes to it. There have been numerous threats identified by Lookout, including:
- BancaMarStealer (also known as Marcher) – is specially designed malware to phish a victims’ banking credentials and then access their accounts before withdrawing their money.
- Deep Attacks − these are increasingly sophisticated attacks that target an application’s logic.
- Screen Loggers & Key Loggers – these consist of more straightforward attacks which steal sensitive information externally from the target application.
- Accessibility Framework Attacks – these are attacks that exploit device accessibility frameworks. This is a tactic increasingly being added to the arsenal of attackers who are pretending to be the user to enter transactions and press buttons, such as disabling a security feature.
- Overlay Attacks− a fraudulent window is placed over a legitimate app on the device to store and steal user credentials. There are also instances where this method is employed to fool the user into disabling security settings to allow further attacks to take place.
Why are Traditional Tactics not Working?
The traditional tactics and approaches to mobile application security are simply failing to provide the level of protection required because the methods rely on perimeter security, or on technologies such as anti-virus and website application firewalls.
Through the use of Host Card Emulation (HCE) and electronic wallets, applications are in increased danger due to the fact that they operate outside of the firewall, meaning that hackers can access, and reverse engineer the source to identify and exploit vulnerabilities that exist within the application. If a vulnerability is identified, then it can have a devastating impact as the hacker is then able to perform a data breach and use the acquired data for fraudulent purposes.
Unfortunately, the likelihood of finding a vulnerability in a mobile application is high due to them not being tested for potential vulnerabilities during the development process. It is believed that as many as 90% are not properly tested to find vulnerabilities, with an even higher number running without protection during production.
There has also been a strong increase in the use of malware, such as mobile banking trojans produced to steal credentials and money from customers’ bank accounts. This is a particular threat on Android devices because the apps that are distributed undergo a less strenuous vetting process.
There is also increased risk as the settings can be changed to allow the device to download apps from sources other than the Google Play Store, further and significantly increasing the likelihood of fraud being carried out by a rogue application.
What is the Solution?
Mobile application security needs to be at the centre of mobile application development and production and be central at each stage of the design and build process. This will help to prevent financial loss, intellectual property loss, damage to a brand’s reputation as well as avoiding fines from industry regulators. However, in reality applications are not designed with security as a central focus and unfortunately new features take precedence. It is imperative that this is addressed, and attitudes change in order to avoid widespread fraud continuing to take place and even increase in the future.
