This post is from the Arxan blog and has not been updated since the original publish date.
Four application security themes for 2020
The United States was astonished recently when the Iowa Democratic caucuses vote count failed due to a bad app. How could this have possibly happened? Before the caucuses, we were assured: “If there is a challenge, we’ll be ready with a backup and a backup to that backup and a backup to the backup to the backup,” said Troy Price, Iowa Democratic Party Chairman.
The Iowa app experience does give pause, for it’s an embarrassing example of well-meaning executives who green light untested software lacking even the most basic security. The headline from Iowa was how the app didn’t work. As with all business and customer apps and websites, functionality is crucial. However, functionality is just what we see on the surface. As security practitioners, our shared focus is what’s going on under the hood to prevent attacks.
We’ll never know if provocateurs might have skewed electoral results of the Iowa caucuses. But we can consider four security issues that will help protect mobile apps and websites from future attacks.
People: We are all only human
People make mistakes, as shown in Iowa. Software problems begin with errors made by coders. Error rates vary by many factors; 10-20 defects per 1,000 lines of code is a typical average mentioned colloquially. Coding errors are a direct cause of vulnerabilities in mobile apps and websites, which may expose an organization to attack. Project managers must expect coding errors, which is why rigorous ongoing testing is essential – especially for DevOps where change in code is constant. Security protection measures are available to help avert possible compromises due to coding errors.
People also make mistakes while using apps and websites. Verizon says (p. 5) the Careless Worker is a major insider threat. These people “misappropriate resources, break acceptable use policies, mishandle data, installed unauthorized applications and use unapproved workarounds.” Phishing and use of stolen credentials are the leading causes of data breaches, says Verizon (p. 9). Are your coders building controls into apps that help address these types of mistakes?
And speaking of security controls, accountability – or lack thereof – is a big challenge for secure app development. As multi-department collaboration grows in conceiving, developing, and evolving mobile and web apps, who is in charge of security? In a DevOps environment, coders, networking specialists, security professionals and others touch elements of security in different ways.
Who is the decider in your organization?
Things: To watch out for
The list of potential vulnerabilities for mobile apps and websites is endless. Two of the biggest security issues globally facing all organizations today are API exposure and a collective of threat actors called the Magecart Group.
The Application Programming Interface (API) lets the client side of an app more directly interact with the back-end web application and its supporting databases and infrastructure. These APIs enable coders to create apps which dynamically render and react to the user, providing an immersive experience which tailors to the individual. Attackers actively hunt for vulnerabilities in APIs because it is the most direct, low-level method of exfiltrating data programmatically en masse, and can be decoupled from the client side code to be used arbitrarily. Secure, end-to-end apps and websites require monitoring and controls that protect the API.
Is this major threat vector on your radar?
Practices: How what’s “best” may put you at risk
Organizations are swimming in best practices. Published listicles of “shoulds” and “ought to’s” can distort the perception of what really matters in your particular scenario. In working with hundreds of customers, we find two security issues occurring over and over again - all because unprotected code can so easily be reversed engineered. This oversight allows a bad actor to freely explore an apps code to determine how it functions and for any coding missteps like having tokens, keys, or passwords hard-coded in the app.
Code exploration is all about understanding how app code works. The idea is similar to bank robbers who pour over blueprints to discover how to physically break in through a nearby building. A hacker examines code to understand its process flow and identify exploitable vulnerabilities. The code for unprotected apps readily available to download from app stores or websites is easy to explore with free and paid for tools such as IDA Pro, Binary Ninja, and Hopper. They all can very faithfully reproduce the source code from a binary. If you have any secrets in your code, an attacker will find it with one of these tools if it isn't protected. The only way to prevent this kind of code exposure is to apply code protection before an app is made available for public use.
A typical bad practice by developers is hard coding tokens or keys into an app or website. Embedding security credentials into code is meant to simplify log-in processes and remove friction. The practice may be justified if such automatic access is limited in scope and does not expose access to sensitive data. Generally, you should avoid hard coding credentials with all apps and websites used by the public. Remember: if code is public and unprotected, anyone can read the code in clear text – including the key. This means a breach can go entirely undetected because you’ve left the key at the front door.
If you’re tempted to embed credentials, just don’t do it!
Tools: Making it easy to do evil
People who are responsible for securing an organization’s apps and website must not underestimate how easy it is to hack code. Many publicly available tools make it easy to exploit vulnerabilities in code, some of which persist for years despite ongoing news stories of one related breach after another. Here are four examples.
Magisk is a tool that provides root access and a systemless interface, allowing a hacker to alter a system without tampering with the partitions. Magisk can hide modifications from nearly any system integrity verification used in banking apps, corporation monitoring apps, game cheat detections, and even Google’s SafetyNet API. Magisk is an open source Android attack framework with more than 3,900 commits, 100 releases and 140 contributors. That’s a lot of horsepower.
Frida is a dynamic instrumentation toolkit for developers, reverse engineers and security researchers. Oh yes, and hackers, too! The toolkit orchestrates dynamic code and data injection into native apps. The providers of Frida promise: “Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.” It’s one of the easiest tools of it’s kind to use - for better or worse.
Game Guardian is a game hack/alteration tool. The providers say this tool “can modify money, HP, SP, and much more. You can enjoy the fun part of a game without suffering from its unseasonable design.” In 2019 gaming revenue topped $120 billion globally, with a single title collecting $1.8 billion alone. Protecting game integrity is paramount for game studios if they want to maintain their player base and revenue stream.
All of these tools are freely downloadable, relatively simple to use, with ample documentation and supporting communities. In some cases, there have been hundreds of contributors to the open source code of the tools above.
Next step: Taking stock of app and website security
The bravado of Iowa caucuses leaders led to a meltdown of best intentions. Granted, that project had international scrutiny so public condemnation has been swift and harsh. It’s unlikely that most of the apps and websites under your purview have the same level of visibility. However, if an attack compromises security of your assets, the fallout could be proportionally shocking to your enterprise and its reputation. So, as you conceive, create, implement and revise your organization’s apps and websites, be sure to put security inside.
Addressing mobile app and website security is not difficult and is straightforward with solutions from Arxan. We can help your team ensure that the code is functioning faithfully to how it is developed in a way that enables DevOps, without causing delays or meaningfully increasing cycle time. With Arxan, you can protect your mobile apps and websites robustly, with confidence.