When it comes to the security of their mobile applications, it seems organizations are still not getting it. Even when they are able to check off security compliance checklists and remain compliant on paper, evidence shows a preponderance of gaping holes in many organizations’ security nets—with the obvious and implicit risk of customer and enterprise data remaining vulnerable to ransomware attacks and/or massive data theft.
While some who do not closely follow news of data exploits might argue that security experts often cry wolf, a new report released by security solutions provider Arxan Technologies and authored by Alissa Knight, cybersecurity analyst and a self-described former hacker, offers stark and sobering details of just how easy it is for the bad guys to get data from mobile apps.
Knight based her metrics on security inadequacies and protection failures among consumer financial applications. This led to the exposure of source code, sensitive data stored in apps, access to back-end servers via APIs and more—most of which was readily findable and available in the source code, she said.
The most critical issue was discovering the firms were storing the API keys and secrets, code certificates and more in the code in the subdirectories of the apps, Knight said.
“Nobody has learned anything,” she said. “Two of the firms were financial services I used. So, I removed them, but it was devastating.”
The study covered mobile apps from eight unnamed financial services sectors including retail banking, credit cards, mobile payments, cryptocurrency, retail brokerage, health insurance and auto insurance. The severity of the vulnerabilities included a combination of account takeovers, synthetic identity fraud, credit application fraud, identity theft, gift card cracking and/or credential-stuffing attacks.
Knight said she was able to easily reverse-engineer nearly all of the applications downloaded on Google Play Store in 8.5 minutes or less.
Among other things, the findings also reflect how black hat hacking has changed over the past few years.
“Over the last 20 years, hacking has gone from website defacements for notoriety to hacking for profit through ransomware and data that can be monetized. With data being the new currency, now more valuable than oil, hacking has changed even more dramatically over the last two to three years as hackers continuously shift their attention to the softer target,” Knight said. “It’s clear from my research that it’s mobile devices as the source code across all of the financial services industries that are easily accessible due to a systemic lack of code obfuscation and tamper protection. It’s my belief that the targeting by adversaries will shift to APIs and mobile apps as we’ve seen recently.”
The key takeaway is that the general state of enterprise security remains systemically inadequate, despite advances in APM and other security tools.
“In the big picture, it’s clear by looking at the API keys and private certificates being hard-coded or stored in files of the mobile app that developers are not considering how trivial it is to reverse-engineer mobile apps and gain access to the files that ship with them,” Knight said. “Companies may not even know that their mobile apps are being shipped in this state. They may not know that keys and private certificates are being shipped out with the code.”
Also, in general, the financial services industry “needs to take their cybersecurity hygiene more seriously,” she said.
“Financial service firms need to ensure their developers are receiving adequate secure coding training, and that companies have both application penetration testing, static code analysis and dynamic code analysis,” Knight said.
Other key findings from the report include:
In information security, technologies change very quickly. Security has a fast cycle of innovation: product builders launch new products quickly,…
Want to know what interception fraud is? Discover what it is & how you can prevent interception fraud from affecting…
Organizations often encounter issues when trying to implement best practices in mobile device security while also ensuring a seamless user…
Deepfake technology is a form of artificial intelligence that employs machine learning algorithms to generate realistic media content. The post…
At any given moment of any random school day, chances are high that your students are online. No big deal,…
Our thanks to BSidesSF for publishing their presenter’s superlative BSidesSF 2023 content on the organizations’ YouTube channel. Permalink