Are you currently experiencing an attack?

Are you currently experiencing an attack?

How Hackers Attack Your Mobile Apps, Part 1: Compromised Devices

As mobile devices have become more popular, many organizations are publishing dedicated mobile apps (native applications for phones and tablets). While these apps create many opportunities for the organization—such as more revenue, a more customized user experience, and so on—they also create more opportunities for hackers. 

Once a mobile app achieves a significant user base, malicious actors have a variety of potential threat vectors to exploit. Broadly speaking, there are three categories of these:

  • Client-device exploits: threat vectors made possible when the client device is compromised.
  • Network-level attacks: malicious activities targeting the communication between the device and backend endpoint.
  • API endpoint attacks: hostile actions taken directly against the backend endpoint that mobile devices communicate with. 

In this three-article series, we’ll examine each of these categories. We’ll discuss the various vulnerabilities contained in each one, and the strategies and tools to defend against them. 

Here in Part 1, we’ll discuss threats against client devices.

What Are Device-Level Attacks?

Device-level attacks are hostile actions directed against physical devices connected to the Internet. In this article, we’re focusing specifically on mobile devices such as phones and tablets. 

When a client device is running your mobile app, hackers can attempt different types of attacks  depending on their goals. In some cases, they will attempt to gain access to your network. In others, their target is sensitive information stored within the device itself. 

Here are several types of vulnerabilities they can try to exploit.

Improper Platform Usage

Such vulnerabilities commonly arise when entities fail to use certain security controls (such as API security), or misuse certain features that are relied upon by the application.

Most modern mobile development frameworks are bundled with security features and best practices that developers should use in their applications. Sometimes developers choose to ignore or misconfigure these features, which can result in vulnerable entry points. Common security features that are recommended for mobile development include platform permissions, Android intents, the iOS Keychain, and touch/faceID.

The technical and business impacts of improper platform usage are severe since hackers can escalate such vulnerabilities to penetrate deeper into the system, and attempt stack-wide attacks.

Vulnerable Binaries

Threat actors are often keenly interested in the structure and operation of the apps they attack. The richest source of insights is the source code of the app itself. Although the original code is usually not available, hackers can still reverse-engineer it with disassemblers, decompilers, and other sophisticated tools. Such scanning tools also help attackers identify the nomenclature of methods and classes used in developing the application, allowing them to clone, inject, or extract sensitive information from the code.

With this accomplished, hackers can create replica applications, or modify the original binaries. In either case, the application stack’s integrity is compromised.

Insecure Data Storage

Most developers tend to assume that enabling client-side storage of files is relatively safe because it restricts other entities from accessing data. For mobile devices, this is not true; sometimes, attackers can physically obtain the device and circumvent security protections. The device can further be exploited with tools that can extract usernames, passwords, authorization tokens, cookies, location data, credit card data, and private API calls. 

Access to such sensitive data is obviously a windfall for attackers, making them highly motivated to obtain it. 

Security Decisions via Untrusted Inputs

Certain applications use the existence or values of an input to implement a protection mechanism. For example, hidden form fields, environmental variables, and cookies are often used for this purpose. Worse, they are often used despite being untrusted, and lacking sufficient integrity checking or encryption to validate them. 

Attackers who notice that this is occurring can take advantage of it. For example, they might modify untrusted input variables to bypass security checks such as authentication and authorization. The impact of this can vary depending on the system affected; it can lead to sensitive data exposure, execution of arbitrary code, or denial of service.

Rooted Android or Jailbroken iOS Devices

Mobile devices with modified operating systems are susceptible to being exploited. Sometimes, users will alter root access settings to enable an OS modification or run certain specific actions. These configuration changes can allow certain processes to assume absolute system control. Attack vectors leverage such compromised processes to install corrupted applications and escalate privileges for deeper penetration. 

With rooted/jailbroken devices, attackers can often bypass security mechanisms. These could allow them to wage attacks such as:

  • Code injection using compromised devices to target backends/APIs
  • Installing spyware on client devices to try and gain access to application servers
  • Gaining access to encryption keys

Extraneous Functionality

Often during coding, developers include hidden capabilities that are intended for the development/testing phases, and should be discarded for live instances. If these modules are included in production environments, hackers could use them in unintended ways. 

The severity of these attacks depends on the capabilities that were inadvertently included. Unfortunately, because these features are usually intended to facilitate development, they tend to be quite powerful, such as having high inherent levels of permissions/privileges, or even the ability to bypass authentication and authorization mechanisms completely. Therefore, these attacks can be very damaging, potentially exposing sensitive processes and data.

Best Practices to Defend Against Device-Level Attacks 

While recommended practices vary for different use cases, here are some commonly recommended practices to reduce the risk of attacks targeting your user’s mobile devices.

Enable Strong Caching Mechanisms

Although caching simplifies the user experience, it is known to expose sensitive data to malicious actors. When developing an application, developers should document the way the OS caches logs, buffers, and media. It is also recommended that you document the caching behavior of your development, social, ad, and analytic frameworks. Security teams should perform simulated tests to discern how the OS and frameworks handle cached data by default, then apply mitigation controls for sensitive data exposed in the cache.

Publish Updates as Needed

Mobile frameworks offer the ability to issue patches and updated versions to users. It can be tempting to focus on enhancing features and functionality, while paying less attention to security issues. Developers should resist this tendency, and diligently monitor changes in the threat landscape. As new security issues arise, updates and patches should be rolled out to mitigate emerging vulnerabilities. 

Rotate Session Cookies

Stored cookies can be used to wage session attacks, where the attacker accesses the user’s previous session and assumes their identity. Developers should implement non-persistent cookies and other techniques that will invalidate user sessions and prevent session hijacking.

Enable Server-Side Validation for Session Tokens

Since tokens don’t store session-based data that hackers can manipulate, they prevent session fixation and CSRF attacks on mobile endpoints. Tokens stored on the client side can be used across multiple servers to perform authentication for a combination of services. As a best practice, access tokens should only be validated by the server/API for which they are intended. 

Runtime Protection Measures

Actors with control of the client device can access the application’s binaries and modify them, compromising the application stack’s integrity. Developers should take steps to prevent reverse engineering and code tampering with techniques such as code obfuscation and binary protections. Some obfuscation techniques include altering code structure, removing metadata, encrypting data structures, and transforming logical expressions.

Although it is impossible to fully prevent threat actors from attempting to reverse engineer or modify the application’s binaries, it is possible to hinder their efforts and make it more difficult for them to succeed. 

Implement Appropriate Input Validation

Applications are built to accept input from users, so it is important to thoroughly test entered inputs to ensure they do not contain code or other content that can affect the application’s response. Validation can help to ensure that the application only accepts predefined formats through input forms and related fields.

Perform Periodic Manual Code Reviews

Although writing secure code is paramount, administering security is a continuous process. It is critical to regularly audit the application’s components and code to ensure security best practices, compliance, and frameworks are being followed. While automation helps rapidly test flaws, manual audits can expose vulnerabilities that were either missed or incorrectly assessed by automated scanning tools. Manual reviews also enable testers to closely examine data paths within the application through which unvalidated input is entered.

Tools and Techniques to Prevent Device-Level Attacks

Access Control

Mobile applications should include up-to-date access control mechanisms to safely determine who gets to view, modify, or delete application services. As the first line of defense, access control measures include multi-factor authentication, enforcement of strong passwords, and biometric logins.

Application Hardening

Applications are sometimes published with vulnerabilities and security gaps that were overlooked during development. Application security testing tools can prevent this by automatically scanning the application code and configuration environment for security weaknesses and vulnerabilities. These include static and dynamic testing (SAST, DAST) tools, runtime application self-protection (RASP) tools, and software composition analysis (SCA) tools. Manual code reviews can also help avoid the creation of vulnerabilities in the first place, and periodic audits of application code and components can help to ensure that security best practices, compliance, and frameworks are being followed. 

IPS/IDS (Intrusion Prevention and Detection Systems)

As a final (but crucially important) line of defense, intrusion detection and prevention systems can intercept attacks and block abusive traffic coming from compromised client devices. For mobile app traffic, this is usually a WAF or cloud WAF system that includes API security. A robust cloud security solution can process incoming requests, block attacks while displaying traffic data in real time, analyze user behavior to improve threat detection, adapt to new threats with machine learning, and so on. 

Conclusion

With a swift rise in mobile computing, the challenges around security cannot be ignored. As most users carry sensitive data on their devices, malicious actors have created mechanisms to exploit vulnerabilities and compromise these systems in order to exfiltrate data.

In this article, we discussed mobile apps, and how organizations which publish them must assume that their apps will sometimes be used on compromised devices. This means that appropriate steps must be taken to ensure that hackers can’t leverage these situations to cause additional harm. 

In Part 2 of this series, we’ll discuss how attackers can target networks and communications between client devices and the backend, and some best practices for securing potential vulnerabilities.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.