When it comes to mobile application vulnerabilities, security professionals often think about zero-day attacks or attempts to access sensitive data. These are very real threats, but you must also consider more nuanced attacks, like reverse engineering and hooking. These attacks take advantage of the industry's too-narrow understanding of mobile or client-side security, which often extends to device infrastructure and no further.
Instagram found this out the hard way in 2022 when Alessandro Paluzzi, a developer well-known for reverse engineering mobile apps, spotted an unreleased feature similar to the popular BeReal app. By identifying the feature in the mobile app's code, Paluzzi was unhindered by any device-level protections.
Mobile apps present a unique security challenge because many of their processes and code are executed on the user's device, making them more susceptible to analysis and tampering. Security professionals must expand their understanding of client-side security to protect mobile apps from today's sophisticated threats.
Impact of a Compromised Mobile App
There are many ways a compromised mobile app could negatively impact a business, including:
- Stolen intellectual property and lost competitive advantage
- Damage to brand and consumer trust
- Revenue loss due to modified versions of the app uploaded to third-party stores
- Fines for regulatory violations
Consider the Peloton rower product leak. In 2021, 9to5Google confirmed an unreleased Peloton rowing machine based on details found in its Android app. This leak likely undermined planned marketing efforts, called Peleton's app security into question, and gave competitors a chance to beat it to market.
Three Client-Side Security Myths
Unfortunately, the industry is plagued with misconceptions that hinder comprehensive mobile app security. Here are the three we see most often.
1. All Sensitive Data Is Protected
Myth: All sensitive data stays on the server side, so I'm confident it's encrypted and protected. Since I don't store any sensitive data on the user's mobile device, I don't need additional protection.
Counterpoint: It's often true that very little sensitive data is stored on the app user's device, but that doesn't mean it's secure. If the application is running, processes, code, and communications with the server are being exposed.
Without additional protections, an attacker can gain insight into:
- How the app communicates with the server
- Where it does encryption
- How it handles authorization
- Where it captures sensitive information
2. User-Based Threats Are Beyond My Control
Myth: I have no control over the app user's device or how they use it, so there's nothing I can do to prevent malware or phishing attacks anyway.
Counterpoint: You may not be able to protect against malware attacks, but you can protect your app against other threats. When portions of the code and strings are left unobfuscated or comments are left in the code as metadata, they serve as jumping off points for reverse engineering and hooking. They can be used to gain insight into "secrets" hidden within the code and enable unauthorized exposure, stolen intellectual property, brand damage, or something else.
3. The Operating System Will Protect Me
Myth: I've done my part by keeping all components used within my mobile app up to date, so I can rely on the security of the operating system (OS).
Counterpoint: The OS's primary concern isn't the security of any mobile app, but rather the security of the device itself. For example, a Symantec study found 1,822 iOS apps with exposed AWS access tokens allowing access to private AWS cloud services. iOS protections did nothing to flag this vulnerability or secure it. Always assume an app is running in a hostile environment and prepare accordingly.
How to Improve Client-Side Security
By the time your mobile application is released, your company has spent countless hours developing exciting new features to delight your target market. To protect this investment, you must implement a comprehensive mobile app security strategy.
Use these recommendations to get started.
- Lean on security standards and frameworks, like OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG), to guide your mobile app security strategy.
- Integrate security into every stage of the DevSecOps life cycle, rather than making it a last-minute step just before release.
- Implement powerful app-level protection mechanisms that include code hardening and Runtime Application Self Protection (RASP) checks. Not all solutions are created equal, so it's important to make sure the protection solutions you're evaluating provide the necessary level of security.
- Prioritize security testing to catch common vulnerabilities earlier in the development process. Ideally, choose a testing solution designed for mobile applications and based on OWASP and other industry standards.
- Use ongoing threat monitoring to identify suspicious activity, fraud, or cheating, and continuously refine your security strategy.
Security professionals must dial in on client-side mobile app security or risk malicious actors analyzing, tampering with, and reverse engineering their application's code.
A comprehensive mobile app security strategy — including protection, testing, and monitoring processes and tools — is the only thing that can stand between your application and the threat actors attempting to inspect its code.
For more tips on strengthening the foundations of your mobile app security strategy, check out Embrace the Mobile App Trifecta.
About the Author
Jija Bhattacharya is a member of Guardsquare's Product Marketing team responsible for the company's DexGuard and iXGuard mobile application protection products. She has held different positions as a developer, product owner, and product marketing manager for different B2B cloud-based products, working for companies driving digital transformation in different industries. Jija has a Bachelor of Electrical Engineering from VTU India and a master's in communication from Vrije Universiteit Brussels.