We're Hiring!

How Do You Make a Mobile App Secure?

Mobile phone application concept; Graphic of phone with cubes representing apps

Mobile apps are an integral part of our lives, but all too often, they're not secure. Over the years, several high-profile cases of mobile app data being stolen or compromised have hit the headlines. Uber, for example, had to pay $148 million to settle claims when hackers accessed the personal information of 25 million customers and drivers. In this article we'll look at some of the main insecurities in mobile platforms and how you should approach protecting your mobile business.

By way of an illustration, a 2021 mobile threat report by McAfee found a marked increase in both new and total mobile malware.

 

McAfee chart; total mobile malware by quarter 2019 vs 2020

(Image source: mcafee.com)

McAfee chart; new mobile malware by quarter 2019 vs 2020

(Image source: mcafee.com)

According to the report, there are three main areas of concern:

  1. Mobile malware taking advantage of disasters: Throughout the pandemic, cybercriminals have been preying on people’s fears with fake mobile coronavirus tracking apps. Once installed, these apps steal the user's contact list and display unwanted and fraudulent advertisements. Future iterations will ride on COVID-19 passports, booster shots, and other pandemics.
  2. Billing fraud malware: This type of malware is designed to bypass SMS-based two-factor authentication (2FA). Once it's on your phone, it can intercept SMS messages containing one-time passcodes (OTP) and give the attacker access to your online accounts.
  3. Banking trojans: The Cerberus family of Trojans has been responsible for the rise in malware. This remote access Trojan allows attackers to access a user's device, intercept SMS messages and two-factor authentication codes, and steal credentials using overlays for hundreds of financial and retail apps.

Malware is just one example of how mobile businesses can be attacked. Fake or modified versions of your apps might be circulating, genuine apps might be being manipulated through the use of free but highly effective hacking tools, or scripts may impersonating your mobile app traffic. Unfortunately, mobile platforms are rich pickings for hackers and there are many attack vectors available to them.

Methods to Secure Mobile Apps

To simplify this picture, let's focus on a few key approaches that developers can take to secure mobile apps. These include:

  • Authenticate the App: Test your platform to ensure only authentic, untampered apps can make calls to your API. The importance of app authentication is best demonstrated by considering popular strategy-based mobile games. In these games, players collect resources and earn rewards for playing the game. Attackers undercut the developer by illegitimately selling modified apps and accounts already populated with gaming resources. The game's API must be able to distinguish between calls made by a tampered app versus a legitimate app, something which is vital in other sectors such as financial services, healthcare, retail and transportation.
  • Device Integrity: Mobile devices are prone to be jailbroken or rooted, which gives attackers root access to the device. This gives them complete control over the device and allows them to install any software, including malware. To combat this, developers can use jailbreak/root detection techniques. These detections, coupled with other environmental checks which look for the use of debuggers, emulators, simulators or hacking tools like Frida, Xposed, etc. are needed to ensure that genuine app instances are not being manipulated by bad actors.
  • Channel Integrity: All communication between the mobile app and backend services should be encrypted. In addition, use dynamic certificate pinning to protect the API channel against man-in-the-middle attacks, which allow the attacker to access and manipulate valuable data.
  • App Credential Integrity: User credentials can be obtained through phishing, app spoofing, data breaches, and app impersonation. Developers need to use app authentication alongside user authentication to block bots and scripts by ensuring that cybercriminals can't exploit user and app credentials at scale.

How Approov Secures Your Apps

As mentioned earlier, it's important to recognise that protecting the app alone doesn't protect a mobile-centric business because the app can be bypassed by scripts attacking the APIs directly. Approov's approach provides three main security benefits; app attestation, environment checks, and dynamic certificate pinning. Approov ensures that your APIs and backend resources can only be accessed by your mobile applications running in secure environments and communicating via secure connections. For more information, check out our product page or schedule a live demo

 

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.