Abstract

All IT-enabled businesses today are moving toward Artificial Intelligence (AI) driven personalized digital experiences for their customers. This implies a critical need for customers’ trust in the underlying technology. At the same time, it has been observed that cybercrime is growing at an alarming rate and is shaking customers' trust in enterprise applications.

In the BFSI domain, mobile devices have emerged as soft targets. They often carry high value, confidential data of upper-end users, can be connected to the Internet, and have powerful processors to run the apps. Such attributes make mobile phones easy targets for professional hackers. Organizations must have a robust incident monitoring and response plan to minimize damages and recover from cybersecurity incidents.

Assessing the State of Mobile App Security

www.niit-tech.com

At the Heart of Securing Mobile

Apps

Abhinav Kumar

Cybersecurity: Current State

As per Identity Theft Resource Center’s (ITRC) report, the total number of reported data breaches increased by 40% from 781 incidents in 2015 to 980 incidents in 2016. The number of incidentsis already at 1022 as of September 21, 2017. The total number of records compromised in the financial sector during 2017 is already touching 2,780,837 from mere 71,912 last year. This clearly indicates that the financial sector is now a focused target for cybercriminals.

Mobile: Hackers’ Prime FocusCybercriminals today are highly skilled and resourceful. They primarily target mobile phone users for data, identity, and gaining remote access for further attacks. The goal of a hacker is to identify logical flaws and weakness in technologies for unauthorized access using various techniques including:

1. Binary Code Analysisa. Reverse engineering to understand the binaryb. Embedded identities and key-generationroutines

2. OS Exploits and Vulnerabilitiesa. Embedding malwareb. Mobile botnets

3. Network Communicationa. Data being sent or received from a server

4. Log Filesa. Crash logs, network, and system error logs

5. Data Storagea. Key stores used for encryptionb. Application file system and database (SQLite etc.)c. Configuration profiles, digital certificates etc.

Major Threats

There are primarily three attack vectors for mobile apps: Network, OS vulnerabilities, and Malware. These are used to launch attacks on larger groups of targets and have far-reaching implications. Today, malware programs are the most commonly used mode for cyberattacks.

Threats on Android

Hiddad is an Android malware that tampers with legitimate apps published on third-party stores. Attackers use it to gain access to user data.

HummingBad is another Android malware that uses rootkit method to install malicious applications such as keylogger, and can even penetrate enterprises security to access confidential email.

Ztorg is a Trojan that uses privilege escalation to install applications without the user’s knowledge.

Threats on iOS

AceDeceiver is an iOS malware developed to exploit design flaw in FairPlay (Apple's DRM system) and install malicious apps on iOS devices. This "FairPlay Man-In-The-Middle" attack was initially used in 2013 for pirated apps, but has now transformed into a channel for spreading malware.

Pegasus is an iOS malware that scans the target device and installs additional software for listening to calls, capturing camera, recording login keys, and accessing contacts, emails, and messages. It is like a Swiss army knife for hacking. Its capability can be judged by the fact that it can disguise itself and even destroy itself if it finds the target to be uninteresting.

Few Noteworthy Cases of Mobile Data BreachSome of the major data breach incidents on mobile are outlined below, providing a glimpse into the extent of compromised security and underlying threats.

Gooligan is a variant of the “Ghost Push” family of malware that uses Towelroot and VROOT Android OS exploits to inject malicious code into Android system processes in order to gain root access. It is known to affect various versions of Android OS 4 and 5, which made up 74% of the devices in the market during fall of 2016.

FalseGuide attack started in November 2016 but became evident in April 2017. It was found embedded in guide applications for popular mobile games, including Pokémon Go, and is known to have affected two million users. Over 600,000 users were tricked by it into joining Android botnet that could be used to launch DDOS attacks.

BankBot is a banking Trojan that targeted customers of over 400 banks including Citibank,

ING, ABN, Rabobank, ASN, RegioBank, and BinckBank, among others. BankBot was also able to intercept text messages and delete them from the victim’s mobile in order to bypass 2FA security implemented by banks. It is reported that BankBot’s code was leaked through an underground forum, and experts fear a spike in the number of mobile attacks based on enhanced versions of the leaked code.

Implications of Data BreachIt is hard to put a dollar figure against any data breach because the loss is more than monetary. It includes associated intangible losses such as those of reputation, brand value, and customer trust. Experts are of the opinion that less-obvious costs like increased insurance premium start showing up a little late.

Case of Sony Data BreachThe Sony data breach included employee login details, e-mails exchanged between employees that revealed their viewpoint on prominent personalities, information about executive salaries in the company, and critical details on company strategy. Two employees also filed a Federal court complaint against Sony Pictures for not taking enough precautions to keep employee data safe. Analysts at Macquarie Research put the estimated cost of the data breach at USD 83 million, but the loss that went unaccounted was Sony's strained relations with people and businesses that it worked with.

Case of Yahoo Data BreachIn the last quarter of 2016, Yahoo reported that over 500 million user accounts were compromised, causing a major embarrassment for the company. Following the breach discloser, Yahoo’s valuation dropped from USD 4.8 billion to USD 4.48 billion during its sale agreement with Verizon.

technology and in the ways in which people use that technology. Listed below are some best practices for building secure mobile apps:

Developer Awareness

Mobile developers must be trained and sensitized about implications of an app security breach. They must remain cognizant of security controls like Cryptography, TLS, and Keychain storage.

Secure Data Storage

Sensitive data must be identified and not stored anywhere unless necessary. If it becomes necessary to store sensitive information, it must first be encrypted using password-based algorithms, and the password should be combined with salt and pepper and kept in a different data store than the secure information itself.

Secure Communication

Any data exchange over the network must be executed using protocols like TLS 3 or later. When communication is with a known server, certificate pinning check must be implemented. Additionally, client certificate verification can also be implemented.

Robust Authentication

Strong password policy should be enforced. Session authentication tokens should not be stored in cookies and digital footprints. They must expire in reasonable timeframes, depending on use cases.

Strong Cryptography

Any data that needs to be stored must use password-based encryption techniques like AES 256. The password itself must be stored in Keychains like storage that is assumed safe.

Minimum Privilege Policy

A mobile app must always obtain the minimum privilege level necessary to execute its functions. Higher-level privileges must be denounced immediately after the use is over.

Secure Coding Practices

All application code review processes must include a checklist for secure coding practices for Android as well as iOS.

Binary Hardening

Third-party tools like Arxan—Application Protection for Mobile—or IBM Security Trusteer Mobile SDK must be considered for binary protection.

Mobile Security Trends

According to Gartner, mobile attacks are increasing and the biggest concern is mobile malware, as a majority of such attacks is attributed to malicious software. Mobile users often visit compromised websites and install apps from sources other than Apple and Google stores. While sensitizing users on information security is important, it is also necessary to implement mobile application security in a way that is both strong and easy to use.

Security vs. Usability The bulk of mobile apps these days has a deficient approach to addressing information security, because the apps offer neither reliable protection nor an aesthetically pleasing interface. According to Verizon, 63% of the attacks in 2016 involved compromised passwords. We see that, passwords can turn problematic as they can be stolen in scalable attacks. As an alternative, stronger security methods like OTP are safe but inconvenient.

The divide between security and UX can be addressed by mobile device's hardware features like fingerprint scanner. This implies that users are compelled to trust original equipment manufacturers (OEMs) like Apple and Google. This may be debatable from a privacy perspective because Google gathers a good deal of our data for monetization, whereas Apple’s business model relies on selling phones rather than data, thus allowing better balance of security in its design. The security challenge then moves to taking reliability to the service provider authentication at the backend.

App Security by DesignMobile apps must have security in the design and this must be built earlier in the development cycle, not as an aftermath of penetration testing result. Mobile developers should adapt to secure coding practices and leverage the recommended approach to deliver trustworthy apps.

The goal of mobile app design for the enterprise must be focused on mitigating the risk of exposing sensitive data through a compromised mobile app. This can be achieved by minimizing the amount of data exposed through the functionality delivered to the user. “Secure yet easy to use” is a crucial ingredient of great mobile apps.

In order to eliminate the risk, designers can always list down the design choices in code—protocols, algorithms, data formats—and prepare a security implementation checklist mapped with identified mobile vulnerabilities.

Mobile App Security: Some Best practicesCountering cybersecurity threats requires an understanding of vulnerabilities in the current

Code Obfuscation

Code obfuscation tools must be used to prevent reverse engineering.

Security Audit

Code auditors must be employed to help identify hidden backdoors.

Toward a Better Approach to App SecurityBased on the analysis of vulnerabilities and threats in mobile, FIDO Alliance specifications (Figure 1) can be used for implementing the next-generation mobile app security and making apps resilient to scalable cyberattacks. The key paradigm here is introduction of biometrics-based user identification and public key cryptography for authentication with mobile backend. The aim is to leverage new technologies like Trusted Execution Environment (TEE) and Secure Element for better safeguarding of sensitive data in mobile devices. This eliminates the use of cumbersome passwords that are difficult to enter for users on the move and carry the risk of being stolen.

UseBiometrics

Usepublic key

cryptography

Protect keywith extra

security checksDiscard

Shared secrets

No thirdparty

involvement

Do not usecrypto keys

across services

Build Trust

Figure 1: Key Elements of FIDO Recommendations

Biometric Identification

Considered as the best mix of security and comfort, biometric identification uses verifiable biological attributes like fingerprint, face recognition, iris, or speech ID for authenticating individuals in quick and reliable ways. It involves statistical comparison of data derived from a person’s characteristics to reach a deterministic resemblance.

Public Key Cryptography

The problem of passwords being stolen or compromised in a cyberattack can be addressed by using a Public Key and Private Key pair generated at the time of service provider registration. Public key cryptography is quite reliable and provides safeguards against majority of cyberattacks. Exceptions can include state actors like the NSA.

Implementation

The pivot of this approach is the authentication module in the mobile app that is developed with extra security hardening. Its security verification code is designed to

run within Trusted Execution Environment (powered by ARM® TrustZone® for Android and Secure Enclave for iOS). The executable binary of the authentication module is cryptographically verified by hardware-backed keys at run time. The authentication module then uses a private key as the token of trust with the mobile backend. This key is stored in the Secure Element of the hardware and cannot be accessed by questionable apps.

Note: For using TEE features on Android, an additional OEM SDK (like Samsung Knox Premium SDK) is required. For iOS, SDK Version 9 or above is sufficient. For both iOS and Android, the hardware must support TEE.

Login Registration

The app must undergo one-time registration with the service provider’s backend by following the steps shown below:

can establish trust with a known server using the following steps for better security:

Communication Protection

Information exchange becomes secure when a private key is used for authentication. Mobile apps

data locally with confidence by following these steps at the time of the initial launch and setup:

Data Storage Protection

The mobile app must segregate sensitive data from general data stored locally. Trusted apps can store

The NIIT Technologies Thought Board:Addressing Security Issues in Mobile Applications

What are the key security questions to ask before accessing a mobile app?

What are the causes of security risks for mobile apps?

Insecure data storage

No encryption or poor

encryption

Weak authorization and

authentication steps

Insufficient transport layer

protection

Unintended permissions

Escalated privileges

Can the app keep your

personal data private?

Can the data passed into and from the app be

trusted?

Can the app verify authorized user’s identity to an apt

degree of certainty?

Can the app restrict user

privileges properly?

Can an attacker damage the

solution provided by app in any way?

Does the app keep a record

of events?

How can a business fix security vulnerabilities for its mobile apps?

By solidifying the security of customer data and

implementing a superior mobile encryption policy

By having a strong API security strategy in place

By testing app software multiple times

By securing the app’s coding from grounds up

By securing network connections in the background

By putting identification, authentication, and authorization

measures in place

Endnotes

New Compliance Requirements

In order to keep financial markets resilient to cyberattacks, regulatory bodies like CBEST (Bank of England) are prescribing cybersecurity standards for software development efforts involving the core of nation’s Financial Services Sector.

CBEST: Bank of EnglandCBEST is a framework for performing intelligence-led cybersecurity tests akin to a real attack based on vulnerabilities and exploits identified by approved cyberthreats intelligence providers.

CFI: Hong Kong Monetary AuthorityFinancial institutions are hit more frequently than other industries and attacks are getting more hostile and unpredictable. For this reason, CFI provisions a structured assessment framework for intelligence-led Cyber Attack Simulation Testing for the institutions at risk. HKMA CFI’s aim is to focus on technologies such as mobile centered services.

FFIEC Cybersecurity Assessment ToolWith increasing sophistication of cyberthreats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions determine their cybersecurity maturity. The assessment is conducted in five categories:

Technologies and connection types Delivery channels Online/mobile products and technology services Organizational characteristics External threats

Mobile Security: Effective Monitoring Holds the Key

The human factor makes cybercrime and data breaches a complicated issue for enterprises worldwide. Most of the prominent cyberattacks had started with phishing via an e-mail. This means that employees are the weakest point in the security cover. There is a need for higher cybersecurity awareness because an unintentional click on a suspicious email can wreak havoc on the entire organization.

Simple measures like awareness programs, cybersecurity best practices, and adoption of FIDO Alliance recommendations can help build safe and secure mobile apps, as trust on mobile has become fundamental to user acquisition and retention. With consistently effective monitoring of traffic for mobile apps, enforcing policies as per analysis of usage, and having real-time reporting and remediation methods, enterprises can create more secure mobile app usage environments. At the same time, it is important to accept that cybersecurity incidents can occur, and organizations must have their own incident response plan in order to minimize damages and recover from the situation faster.

About the Author

Abhinav Kumar, Senior Architect, Digital Services in NIIT technologies. He has over 17 years of experience in bringing innovation to real world applications and crafting cutting-edge solutions that create business value. A person with an eye for detail, he is busy micro-architecting solutions to make things work. He remains instrumental in designing applications using Speech Recognition, Natural Language Processing, and Machine Learning.

For more information, contact marketing@niit-tech.com

© 2019 NIIT Technologies. All rights reserved.

NIIT Technologies is a leading global IT solutions organization, enabling its clients to transform at the intersect of unparalleled domain expertise and emerging technologies to achieve real-world business impact. The Company focuses on three key verticals: Banking and financial services, Insurance, Travel and Transportation. This domain strength is combined with leading-edge capabilities in Data & Analytics, Automation, Cloud, and Digital. With over 10,000 employees serving clients across Americas, Europe, Asia, and Australia, NIIT Technologies fosters a culture that promotes innovation and constantly seeks to find new yet simple ways to add value for its clients. Learn more about NIIT Technologies at www.niit-tech.com

Stay connected:

D_1

84_1

8081

7