Scott McKellar is currently a Technical Consultant at Mimecast where he has been since early 2019. Scott has been working in the technology industry for fifteen years and is passionate about technology & security. Scott enjoys understanding his customers and prospects often complex business challenges and aligning them with technology to solve problems and add value. Prior to his role at Mimecast, Scott headed up the technology team for an Australian leading Wi-Fi analytics SaaS and IaaS provider; Discovery Technology (a Data#3 company).
Apps contain truckloads of confidential user data, and users also have an implicit level of trust in them. We don’t think twice about downloading a new mobile game or a slick new shopping app.
For most app developers, cybersecurity tends to be a low priority, and despite the rise in app hacking, security measures are usually bolted on as an afterthought once app development is complete. Thankfully, trends in app development are starting to change.
Most hackers are usually interested in the user data the app holds: credentials, logins, passwords, usernames, which they can exploit for blackmail or simply sell on the black market. Other hackers may aim to sabotage an app or service through DDoS attacks, or use the compromised app as a way to get into a corporate network.
How hackers decide which apps to target
Hackers tend to be practical people and look for the lowest-hanging fruit to target. Sadly, there is no shortage of popular apps that have less-than-stellar cybersecurity built in. There are some features which make apps attractive targets for hackers, such as a lack of multifactor authentication (MFA), no data encryption, unsecured data storage, or easily accessible code. If they can reverse engineer the code, they can pull out the data they want.
Attacks on mobile apps can be planned well in advance
People generally believe that mobile security attacks are spur-of-the-moment, one-off events. But hackers are evolving their methods and can put a lot of thought and planning into their heists.
They may spend weeks just doing reconnaissance, researching potential targets and gathering intel. Once they’ve decided on a target app, they’ll study it and try to figure out how it works, what its vulnerabilities are, and how they can cover their tracks once they’ve got the goods.
Only then will they carry out the attack itself, using techniques like debugging, hooking, code-modification and data exfiltration. Breaking into an app is one thing, but being able to misuse it is another. Finance, wallet and banking apps, for example, are closely monitored for any unusual activity, which makes it very difficult for attackers to escape unscathed. Any attempt at misusing the app will trigger fraud detection systems which could land the would-be hacker in jail if they’re not skilled enough to escape detection.
Devs have a whole arsenal of cybersecurity strategies to make the target unappealing to would-be hackers. Of course, these measures can significantly increase the cost and time to build the apps, but might be worthwhile for specific applications. Let’s explore some of the specific security tools and techniques they can use.
How devs can strengthen app security
1. Use token-based authentication
Using tokens is best practice to allow secure access to APIs or other external resources. A precise tokenisation system is a critical component in elevating app security.
2. Use https
All communications to and from the app must use secure, encrypted transport protocols, like HTTPS, which require the use of strong SSL certificates. Mobile apps and their backends that always use encrypted data make it extremely difficult for hackers to interfere with, compromise or steal any data.
3. Use Multifactor Authentication
For sensitive apps, this should be standard practice. Biometric authentication is many times more secure than username and password combinations, and with most new phones already carrying fingerprint sensors and capable of supporting voice-verification tools, it can be a cost-effective way to bolster app security.
4. Encrypt Data Stored On The Device
Encrypting the data stored by your app on users' devices can be a strongly discouraging for hackers. Decrypting data without the right keys or passwords is extremely labour-intensive and difficult, if not impossible in some cases.
Hackers are always innovating and can be very creative in their attacks, but they are also smart enough to realise when an attack is just not worth the effort. While app technology and dev tools are always improving, the most effective security strategy is to make cybersecurity a priority at the very outset, before even a single line of code has been written. Designing apps with security as a core feature and building outwards from there is still one of the best ways to ensure the app remains secure.