5 Reasons Why Mobile Application Security Fails

Traditionally, large organizations and the enterprise have been the focus for hackers and malicious attacks, but in recent years, the rise of sophisticated hacking tools and leaked databases on the dark web, in conjunction with the proliferation of mobile devices and the wealth of sensitive data stored on those devices, have made mobile devices an easier and equally fruitful target. The rise of remote working and BYOD has also made individual devices a potential ‘route into’ a larger organization.

Storing information on devices and the use of insecure, unsanctioned apps—which may not be compliant, could violate privacy or be prone to hacking or leaking—has become more prevalent. As a result, mobile application security is at the top of many businesses’ risk list. Almost all employees now regularly access corporate data from their smartphones; that means keeping sensitive information out of the wrong hands remains a complex issue for many businesses. The cost of not securing sensitive data remains high, with the average cost of a corporate data breach standing at an eye-watering $3.92 million.

Clearly, the threat model is different for mobile devices. There is much more risk of sensitive data being stolen or leaked due to the portable nature of the devices and the types of applications that are used. Work mobile devices are often shared, while mobile applications are highly connected to web services or associated with device sensors, such as cameras, microphones and location detection systems. Many devices also have payment capabilities and contain sensitive account details.

Top 5 Mobile Application Security Risks

Indeed, almost every mobile application my team and I have analyzed this year is at risk of being exploited by hackers. The most basic issue being insecure data storage, with the most obvious threats posed by malware. The top five risks to mobile application security that businesses and individuals need to be aware of are as follows:

Weak server-side controls: Any communication between an application and the user outside the mobile device, goes through a server. Therefore, the server becomes a prime target for cybercriminals. The precautions we can take to ensure server-side security range from hiring a specialized cybersecurity specialist in-house to using a testing tool and taking the usual precautions. However, a more serious problem occurs when an application’s developers do not implement traditional server-side security measures. Some common reasons for that include:

  • Poor security budgets and a lack of cybersecurity knowledge.
  • Overdependence on the mobile OS for security updates and responsibility.
  • Vulnerabilities due to cross-platform development and compilation.

29% of server-side components contain vulnerabilities that can cause disruption of app operation

Blind trust in app store security: As app stores are pre-installed on our mobile devices to enable access to most mobile applications, it is assumed that the app store has performed due diligence on the apps in their stores and those apps are secure. This is often not the case. Many app store merchants lack the capability or budget to ensure that the apps they make are secure. App stores contain far too many apps to check every single one, so many open us up to risks that can harm us and the businesses we work for.

Unsafe data storage: Another basic mobile application security loophole is the lack of safe data storage. Standard practice for developers is to depend upon the client for data storage. But client storage is not a sandbox environment, where data breaches are impossible. The app is live and in use, so in the event of an acquisition of the mobile by someone other than its owner, this data can be easily exploited, manipulated and used. This can result in identity fraud, reputational harm and external policy violation (for example, around PCI).

Easy authorization and authentication: Easy and unfit authentication processes allow hackers to anonymously operate a mobile application or access an application’s back-end server. This is common because of a mobile device’s input form factor, which promotes small passwords that are normally based on four-digit PINs.

Unlike traditional web apps, mobile application users are not expected to be online throughout their sessions, and mobile internet connections are not as secure as traditional web connections. Therefore, mobile apps may need offline authentication to stay up to date. This offline requirement can generate security loopholes that developers need to consider when building in or executing mobile authentication.

Broken cryptography: Broken cryptography is a basic mobile application security issue that occurs due to bad encryption or wrong implementation. By exploiting those vulnerabilities, cybercriminals can decrypt the important data to its initial form and manipulate or steal it. Broken cryptography can happen due to complete dependence on built-in encryption processes, the use of custom encryption protocols, the use of vulnerable algorithms and other reasons. Cybercriminals can also benefit from poor key management such as storage of keys in easily accessible locations or not hard coding keys within the binary.

With the introduction of Apple’s iOS and Google’s Android operating systems, smart mobile technologies have completely revolutionized the way people and businesses communicate. The success of the smartphone and its ease of use have led consumers to use mobile devices to perform a variety of activity, including remote work. Although the popularity of mobile technologies has greatly simplified our lives, it also has created headache for companies developing these applications and providing the back-end systems to support their operation. The costs of dealing with cybercrime incidents have reached the point where it is now a major threat to the corporate bottom line.

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and ... Read More
Signal Sciences

Shitesh Sachan

Shitesh Sachan is the founder and CEO of Detox. He is a white-hat hacker and a Certified Information Security Auditor (CISA), with over 20 years’ experience. Before founding Detox, Shitesh led security at hCentive, a US health tech company that protected ObamaCare, amongst other global projects. In his wider remit as an ethical hacker, Shitesh has identified security vulnerabilities within some of the world’s largest platforms, including Amazon, LinkedIn, WhatsApp, Shutterstock, Medlife, Dominos and PizzaHut. Shitesh is a published author and has recently been awarded ‘Hall of fame’ status by the World Security Council for identifying security flaws in their system.

shitesh-sachan has 1 posts and counting.See all posts by shitesh-sachan