Client Applications: A Hacker’s Easiest Target?

A perfect storm is brewing for any application running in a workstation—the client application—which is putting a target on its back and placing it in the “most vulnerable” category. The increasingly large amount of sensitive data aggregated by these client applications is staggering. The pressure is mounting for enterprises to harden defenses or risk major legal and financial repercussions for failure to comply with new data protection regulations, and developers are feeling more heat to get applications up and running even if it means sacrificing security. All the while, cybercriminals are watching closely, evolving their tactics to find the easiest entry points into these applications and steal data.

Fortunately, there are preventive steps app developers can take that don’t require them to be cybersecurity experts and are not dependent on unproven technologies.

Decentralize ‘Toxic Data

On the regulatory side, the European Union’s GDPR (General Data Protection Regulation) will have its one-year anniversary in May. As EU member countries become more familiar with the law, there is a very real chance that more companies could face the penalties for non-compliance—large fines that could be up to €20 million or 4 percent of a company’s revenue for mishandling data (whichever is higher). In the United States, in response to continuing controversies, California has already passed a strict privacy law. On top of this, observers agree there is a good chance that both industry and politicians could come to an agreement around a nationwide privacy law.

The potential liability for holding sensitive personal data continues to grow. Regardless of their size or industry, companies will respond by looking for ways to reduce their centralized holdings of personal data.

One tactic is to decrease the amount of sensitive data held on public clouds and push it to user devices. The desire to reduce the amount of centrally held datasets is a driving force behind a technology industry movement often referred to as “The Decentralized Web.” This movement is one of the factors behind the vibrant activity around distributed ledger technology such as blockchain and its cousin, cryptocurrency. The Solid project backed by Sir Tim Berners-Lee is another promising technology in this area.

Distributed ledger technologies, particularly private blockchains that are only open to selected users, give companies the ability to move sensitive data to applications running on client devices. With the good security of blockchain, more companies are expected to take this route.

That being said, the hype around blockchain and cryptocurrencies are likely to introduce additional cybersecurity vulnerabilities. While blockchain technology is meant to operate strictly peer-to-peer, there is still a need for a supporting software ecosystem. One example is the wallet applications typically used for holding cryptocurrencies. These ecosystem elements may not have the same level of security as the blockchain based elements and will increasingly be a target for cybercriminals.

We are already seeing examples of such attacks. A cybercriminal was found to have inserted a backdoor into a JavaScript library used in a bitcoin wallet. With all the hype around blockchain, it’s very likely solutions will be rushed into market without appropriate cybersecurity measures and vetting capabilities, creating more vulnerabilities for bad actors to exploit.

Better Hardware, More Toxic Data

Besides decentralized applications, there are two other trends that will increase the amount of sensitive data held in client applications. Both of these arise from the increasing sophistication of the hardware used in devices.

First, sensor technologies are mature enough that biometrics such as fingerprint or facial recognition are becoming mainstream authentication techniques to replace usernames and passwords. Fingerprints and facial recognition are commonly used biometric-based authentication systems in smartphones and this year biometric authentication is moving into cars. Unlike usernames and passwords however, biometric information is extremely sensitive since once it has been stolen, it can’t be changed. Given this, applications with access to biometric data will be a tempting target.

Second, one reason that companies hold data on servers is to perform analytics. Machine learning and artificial intelligence (AI) are the latest data analytics techniques to hit the market. Chip manufacturers such as Apple, Qualcomm and Huawei, increasingly are competing on features to support ML/AI applications on client devices. With improved capabilities available on the client hardware side, application developers will leverage these to offload processes previously performed server-side. Much of the data used in these processes will be sensitive data of interest to cybercriminals as well.

Protecting the App

Given the increase in sensitive data held by apps, app developers are increasing their security measures. One of those measures is adopting hardware-based cybersecurity technologies. This is generally a very effective posture, but isn’t ironclad since there is always a potential for side channel attacks. In 2018, the Spectre and Meltdown attacks showed that hardware cybersecurity vulnerabilities existed that could also be exploited and exploitation paths continue to increase. In particular, the Spectre attack not only affects processors used in servers but also client devices such as laptops and smartphones. In 2019, we are likely to see more hardware cybersecurity vulnerabilities discovered and exploited.

A solution to this conundrum is for app developers to adopt the practice of “defense in depth” and not rely solely on hardware security or the device makers’ hardware and OS protections. There are a number of proven software techniques that developers can call on to increase the security of their apps:

  • During the planning phase, make sure that attention to cybersecurity is built in at the beginning of the development process, not tacked on at the end when it is harder to implement.
  • Map out the processes where data is passed along within the app as well as outside of the app and ensure that data is always encrypted. It should never be left in the clear as plain text or with the secret keys exposed.
  • Obfuscation techniques can be useful. One example is whitebox cryptography, where the keys are kept hidden from bad actors even if they have access to the code. Another is code obfuscation that frustrates cybercriminals from doing such things as analyzing code to find vulnerabilities and attempting to reverse engineer the code.
  • Use a trusted PKI service to obtain cryptographic keys for use in encrypting data as well as digital certificates for authenticating the app.
  • Institute a runtime checks that confirms the app hasn’t undergone unauthorized changes when run.

With these tips, app developers can rest easier even as their apps are thrown in the front lines of the continuing battles with cybercriminals.

Bill Horne

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Bill Horne

Bill Horne, Ph.D., is Vice President and General Manager, Intertrust Secure Systems. He leads Intertrust’s Secure Systems division, and is responsible for the company’s application shielding suite of products and device identity PKI services. Prior to joining Intertrust, he was the Director of Security Research at Hewlett Packard Enterprise, where he led a team of R&D security experts who supported HP’s security product efforts. Previously, Horne was a research scientist at Intertrust’s STAR Lab from 1997 to 2002, before which he was at NEC Research Institute in Princeton, N.J. Horne has published more than 50 peer-reviewed articles on topics of security and machine learning, and has 33 granted and 44 pending patents to his name. He holds a B.S. in Electrical Engineering from the University of Delaware, and earned an M.S. and Ph.D. in Electrical Engineering from the University of New Mexico.

bill-horne has 4 posts and counting.See all posts by bill-horne