When it comes to the security of their mobile applications, it seems organizations are still not getting it. Even when they are able to check off security compliance checklists and remain compliant on paper, evidence shows a preponderance of gaping holes in many organizations’ security nets—with the obvious and implicit risk of customer and enterprise data remaining vulnerable to ransomware attacks and/or massive data theft.
While some who do not closely follow news of data exploits might argue that security experts often cry wolf, a new report released by security solutions provider Arxan Technologies and authored by Alissa Knight, a cybersecurity analyst and a self-described former hacker, offers stark and sobering details of just how easy it is for the bad guys to get data from mobile apps.
Knight based her metrics on security inadequacies and protection failures among consumer financial applications. This led to the exposure of source code, sensitive data stored in apps, access to back-end servers via APIs and more—most of which was readily findable and available in the source code, she said.
The most critical issue was discovering the firms were storing the API keys and secrets, code certificates and more in the code in the subdirectories of the apps, Knight said.
“Nobody has learned anything,” she said. “Two of the firms were financial services I used. So, I removed them, but it was devastating.”
The study covered mobile apps from eight unnamed financial services sectors including retail banking, credit cards, mobile payments, cryptocurrency, retail brokerage, health insurance and auto insurance. The severity of the vulnerabilities included a combination of account takeovers, synthetic identity fraud, credit application fraud, identity theft, gift card cracking and/or credential-stuffing attacks.
Knight said she was able to easily reverse-engineer nearly all of the applications downloaded on Google Play Store in 8.5 minutes or less.
Among other things, the findings also reflect how black hat hacking has changed over the past few years.
“Over the last 20 years, hacking has gone from website defacements for notoriety to hacking for profit through ransomware and data that can be monetized. With data being the new currency, now more valuable than oil, hacking has changed even more dramatically over the last two to three years as hackers continuously shift their attention to the softer target,” Knight said. “It’s clear from my research that it’s mobile devices as the source code across all of the financial services industries that are easily accessible due to a systemic lack of code obfuscation and tamper protection. It’s my belief that the targeting by adversaries will shift to APIs and mobile apps as we’ve seen recently.”
The key takeaway is that the general state of enterprise security remains systemically inadequate, despite advances in APM and other security tools.
“In the big picture, it’s clear by looking at the API keys and private certificates being hard-coded or stored in files of the mobile app that developers are not considering how trivial it is to reverse-engineer mobile apps and gain access to the files that ship with them,” Knight said. “Companies may not even know that their mobile apps are being shipped in this state. They may not know that keys and private certificates are being shipped out with the code.”
Also, in general, the financial services industry “needs to take their cybersecurity hygiene more seriously,” she said.
“Financial service firms need to ensure their developers are receiving adequate secure coding training, and that companies have both application penetration testing, static code analysis and dynamic code analysis,” Knight said.
Other key findings from the report include:
- Lack of Binary Protections: 97 percent of all apps tested lacked binary code protection, making it possible to reverse-engineer or decompile the apps exposing source code to analysis and tampering.
- Unintended Data Leakage: 90 percent of the apps tested shared services with other applications on the device, leaving data from the FI’s app accessible to any other application on the device.
- Insecure Data Storage: 83 percent of the apps tested insecurely stored data outside of the apps control—for example, in a device’s local file system or external storage—and copied data to the clipboard, allowing shared access with other apps and, exposed a new attack surface via APIs.
- Weak Encryption: 80 percent of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed.
- Insecure Random Number Generation: 70 percent of the apps use an insecure random number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable.