Mobile Security & Enterprise Mobility Blog

When to Use In-App Protection

There are more than 5 million apps in the app stores. Most of these apps fit into the gaming, business, education, lifestyle, entertainment, and utility app categories. Some of these apps have access to and contain highly sensitive data and require in-app protection and security to defend against real-time cyberattacks. This security is in addition to security detecting reverse engineering and tampering. No amount of application hardening will ever detect an attack on a third-party device.

Realize your app runs on a consumer’s unmanaged device. Her device could have malware on it. It could be jailbroken. It could be compromised. It could be operating on a malicious network or any number of dangerous situations as users scurry around for connectivity and power. You can’t manage the health of these devices, but you can create policies for how a third party endpoint interacts with your backend systems.

Companies promoting mobile services and sending customers to the mobile channel understand two things. One, mobile is superior customer experience. Secondly, it introduces significant risk. Many public companies acknowledge the risks that mobile devices and cloud services present into the business in SEC filings and annual reports. They understand that cyberattacks evolve at a pace higher than their defenses and are required to disclose this risk to shareholders.

For example:

“These risks may increase in the future as the Company continues to increase its mobile and internet-based product offerings and expands its internal usage of web-based products and applications. In addition, the Company’s customers often use their own devices, such as computers, smart phones and tablet computers, to make payments and manage their accounts. The Company has limited ability to assure the safety and security of its customers’ transactions with the Company to the extent they are using their own devices, which could be subject to similar threats.” – US Bancorp 2018 Annual Report

If companies want to expand mobile programs and reduce the risks of third-party devices interacting with backend systems, they need to have visibility into the actual risk. The risk is measurable with in-app threat defense installed into your mobile application, and I explain several of the most common use cases here.

Mobile Banking Apps

Mobile banking apps are some of the most useful apps on your smartphone. Making payments at terminals via mobile wallets, transferring money to payees or checking balances are some of the most commonly used features.

Banking functions using native smartphone functions are convenient as well. Using a smartphone’s camera for depositing checks and geolocation for locating ATMs to make cash withdrawals empowers users to perform tasks that not long ago were reserved for the teller at your bank. However, to enable these features on your consumers’ devices, you have to open up connections to your back end systems.

Enabling third-party devices to run your application introduces vulnerabilities. These vulnerabilities are exploitable if you don’t have visibility into these threats. Banking and cryptocurrency apps are frequent targets for theft since they contain information on and about your banking systems.

The Tesco Bank mobile app surrendered £2.5M from 9,000 accounts overnight after criminals reverse-engineered the mobile app. The bank suffered severe brand damage and was later fined £16.4M by The Financial Conduct Authority (FCA) for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.” As money moves to virtual currencies, so do the attacks on cryptocurrency apps. North Korea is notorious for targeting cryptocurrency apps to fund programs. Plus, “unhackable” crypto wallets are successfully compromised. Bitfi claimed to be an unhackable bitcoin wallet app, but it was hacked twice!

Civic Service Apps

Another sector replacing physical items in your wallet or purse is civic and government services. Many public services have had websites for years to renew your licensing, register with state or local agencies, or pay your taxes. Now, these services are moving to mobile devices, making it more convenient for constituents. However, these conveniences introduce risk since the constituents are individually responsible for their mobile device health. Public service apps contain personal information and payment data and must be aware of reverse engineering and real-time mobile attacks. Here are some examples of government apps that should implement in-app threat defense.

In the United States, Kansas in the United States launched a mobile app, iKan, to renew vehicle registrations. Texas hunters can use Outdoor Annual to purchase and hold hunting and fishing licenses. New York City offers a mobile security app, NYC Secure, ensuring its residents and commuters are safe while using the free LinkNYC WiFi services.

But, the most interesting civic service app pushing the limits is mobile voting.

Voting with a mobile phone may be scary, but it can be more secure with the right protections and tamper detection. For centuries votes have been cast via paper ballots. These ballots felt safe, secure, and tamper-proof. However, as digital platforms and algorithms are replacing legacy systems, officials are questioning the security of our elections.

Below is a brief timeline from the last 20 years of US elections, focusing on how we arrived at mobile voting:

  • 2000 – The Hanging Chad: The 2000 US presidential election is closest since 1876. Florida’s manual ballot recount deemed unconstitutional.
  • 2002 – HAVA 2002: Help America Vote Act signed into law in 2002 to update election systems and hardware in time for the 2004 presidential election.
  • 2004 – Voting Machine Software: Democratic nominee, John Kerry, is denied access to voting machines software after requests to voting machine algorithms.
  • 2016 – Gucifer 2.0: Russian intelligence agency hackers break into Democratic National Committee servers and Cambridge Analytica fuels data for election advertising campaigns.
  • 2018 – 10 Minutes: Eleven-year-old girl at BlackHat breaks into an electronic voting machine in less than 10 minutes. West Virginia, Utah and Denver pilot mobile voting.
  • 2020 – US Presidential Election: …

Public service mobile developers need to implement anti-tampering technology in their apps to reduce the possibilities of reverse engineering and exposing data. However, no amount of anti-tampering will detect a real-time attack. If you can’t identify an attack on your systems from an unmanaged third-party endpoint running your app, then you have no way to remediate that attack.

Employee Productivity Apps

Many times enterprises have internally developed enterprise apps to enable their mobile workforces. These apps are for law or accounting firms to read and edit documents or to log billable hours. Field service apps allow technicians to generate sensitive maps using geo locations for critical infrastructure or to monitor and control those systems. Hospitals and healthcare professionals making house calls need access to private healthcare information protected under HIPAA to administer health services and log insurance claims. All of these functions could take advantage of cost savings by running on a BYO device, but the mobile developer would need to install threat detection to detect cyberattacks and manipulations.

The risks involved in pushing private data to a BYO device expose data and credentials on the worker’s device. If there are not sufficient protections in place, then data could leak from the device or APIs and therefore failing to meet compliance requirements. There are several examples of apps exposing private user or device data. The Strava fitness app revealed global heatmaps of secret military bases around the world. The exposure caused the US Department of Defense to ban fitness trackers on both government and non-government devices. A New York Times investigation into mobile app tracking capabilities identified specific individuals from seemingly anonymous location data. The study found tracking code from one provider in over 500 different apps.

  • How risky is the device operating environment?
  • Is there malware on the device or other applications with abusive privileges or data leakage risks?
  • Is the network where your application is running safe?
  • Is there a process with Root privileges which can potentially steal confidential data stored locally?
  • Is there a process monitoring & stealing keystrokes or pasteboard data?
  • Are there processes reading and exporting data from memory?
  • Is the device jailbroken or compromised?

Zimperium’s in app protection, zIAP, provides your security and fraud teams mobile risk and threat data from your users via a lightweight SDK. Contact us for a free evaluation to secure your app from real-time attacks.