What is a Native/Mobile Application?
A native application is coded in the primary language for its operating system. (For example, Android-native apps are written in Java.) A mobile application is a native application for a mobile OS (which today is usually Android or iOS).
This article will refer to them collectively as “native applications” or “native apps.” (Some native apps are included with an OS or device; these will not be discussed in this article. The discussion below is about separate ‘add-on’ applications.)
Native applications vary widely, from small microapps to networked enterprise suites. Today, most use the Internet to communicate with a backend of some kind. They can be broadly categorized by the type of backend that is required.
Some native apps communicate with backend web servers, in the same way that web browsers do. From a security perspective, these are basically web applications, which have a certain set of requirements. (For more information, see What is Web Application Security.)
However, most native apps communicate with API endpoints. Using an API means that an additional set of challenges must be addressed.
Native Application Security
Some native environments are open source. (The most important example is Android, which is the OS for the majority of mobile devices today.) This means that threat actors can easily build and run attack tools, sniff network traffic, and so on. Even closed-source environments provide a variety of capabilities that are needed for waging an API attack on an endpoint.
Unfortunately, many organizations make it easy for attackers. Here at Reblaze, we are sometimes approached by new clients that are not using TLS encryption on their API traffic. This is basically an open invitation for threat actors to reverse-engineer and abuse their APIs.
Another common mistake is to rely on an API gateway to provide web security. Gateways offer many benefits, but comprehensive security is not among them. (For more information, see What is an API Gateway?)
In addition to these issues, securing an API presents other challenges. Endpoint traffic can contain the same threats that normal web applications experience, plus some additional, API-specific threats. To make matters worse, some techniques for scrubbing web traffic are not applicable to API security. (For more information, see API Security vs. Traditional Web Security).
How to Secure API Endpoints
Here are some useful tactics for native application security.
Use a robust WAF. Much of the hostile traffic aimed at API endpoints contains the same kinds of threats that web servers must defend against: vulnerability scans, breach attempts, DDoS assaults, and so on. An effective WAF will block this malicious activity.
Use authentication. Compared to web applications, a native application gives developers more flexibility in how it communicates with the backend. Extensive and robust authentication should be used to verify a client’s identity and permission for backend access. Some web security solutions have built these capabilities into their platforms, and make it straightforward to integrate them into client applications.
Use UEBA. Developing a native application includes the opportunity to define the communication standard between client and endpoint. The most advanced security solutions today provide an SDK which allows a native application to easily stream client events into the solution. In other words, all of the user’s interactions with the application (every click, tap, zoom, scroll, etc.) can be collected and submitted for analysis with UEBA (User and Entity Behavioral Analytics).
A UEBA-based security solution continually collects and analyzes these events. Machine Learning is used to analyze all the ways in which users interact with the application, identifying behavioral patterns for legitimate users. In turn, this allows the solution to identify illegitimate use of the API, because attackers do not conform to the normal patterns. UEBA-based security is powerful, because it identifies and blocks threats (such as zero-day exploits) that previous security approaches cannot.
UEBA is at the forefront of web security today, and only a few solutions provide it. Some provide SDKs specifically for use in native/mobile applications. This provides application developers with an opportunity to leverage some very powerful security capabilities, with minimal effort required.