We are in a new frontier in the mobile security space. Mobile advances are happening at a rapid rate and with the arrival of wearables and the Internet of Things (IOT), standard mobile security practices have not quite kept up with the pace. Mobile is increasingly becoming our primary interface to the web and our means of exchange (ideas, experience, money etc). Fondness with our mobile devices makes it so easy for most to expose sensitive information even if this is just on the device and not on the web or social media. At the center of this mobile experience? The app ecosystem. So, how secure are these apps that simplify our daily activities?
Gartner has stated that roughly 75% of all apps will fail basic security tests through the end of 2015. So, think 3 out of 4 apps you use. It is presumptuous for any business or organization that makes or provides mobile apps to think that simply applying traditional web application security principles is sufficient. Mobile apps are significantly different than web apps in a number of ways. For one, deployment of an unsecured app feature is hard to take back. Once users have the app on their devices you cannot simply force a user to upgrade. With web, changes can happen behind the scenes and customers get the latest update when next they visit the website.
Securing mobile now requires going beyond traditional user facing security measures like password encryption, use of SSL (https) or data encryption. The mindset has to shift to App Integrity. This is because reverse engineering an unprotected app is pretty easy today. You can easily decompile most apps using free or cheap tools in less than 5 mins. And be able to see business logic and sensitive data in no time. Other than the potential for IP theft, malware insertion is a possibility. This could be a simple case of a reverse engineered app, in which malware is inserted with the app repackaged and deployed to 3rd party app stores. Jailbroken and rooted devices would be must vulnerable here. Can more be done? Yes.
Techniques like Anti Tampering Mechanisms, Code Obfuscation, White-box Cryptography (Obfuscating mobile native code, like C/C++, containing sensitive logic), Jail Break and root detection, Self Checksums are just a few ways to further harden an app. There are tools in the market that help with this, but it is vital to remember that hackers also have access to these tools and so it is critical to always add your own flavor of hardening.
In most cases, hackers given enough time, tools and motivation can almost certainly compromise your mobile app, but the goal here is to significantly reduce that risk by increasing speed bumps. This makes it even more critical to secure backend services or APIs with such things as token based authentication (ex: OAuth 2.0) as the next line of defense. It is important to consider how secure your app is because your customers security is vital to your business. So, do you know how secure your app is today?