Many security experts recommend multifactor authentication (MFA) to prevent unauthorized access to protected accounts. It's a key security measure for mobile apps, but it's not a silver bullet. Hackers are getting better at defeating second- and third-layer security protections like MFA.
For example, the Iranian hacker group Rampant Kitten targeted Iranian dissidents using malware deposited in the victim's Telegram messaging app, whose MFA was bypassed using previously intercepted SMS codes.
Then there's Cerberus, a Trojan that abuses Android accessibility features like "developer options" and "enable unknown sources" to escalate privileges, enable remote access, and update malware on target systems. Hackers reverse-engineered Google's authentication flow and extracted two-factor authentication credentials from mobile apps to mimic and bypass Google Authenticator.
Plus, earlier this year we saw the emergence of the Eventbot malware, which targets mobile banking apps and often masquerades as a well-known app (like Microsoft or Adobe). It can intercept SMS messages to obtain MFA codes for account takeovers and data theft. Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.
And these are just a few well-known cases. Hackers bypass MFA all the time, often using the following common techniques to attack mobile apps.
Reverse Engineering & Tampering
Hackers use static and dynamic analysis to understand how apps work and to alter apps in many ways. They use debuggers and emulators to observe how apps function in simulated environments. They use disassemblers and decompilers to obtain source code and understand how it executes. For everything a hacker wants to do, there's five or 10 tools to do it, all freely available.
With the information these tools provide, hackers figure out where apps' weaknesses are and then craft attacks to exploit those weaknesses. For example, using tools like Ghidra, IDA, and others, hackers can execute a class dump and show all third-party libraries in any app. Then they search public data sources (such as MITRE) to find all the bugs and vulnerabilities in those libraries so they can craft an attack that exploits them. And they enhance their attacks by blending attack techniques. The more they know about the app, the more damage they can do.
Transport Layer Attacks and Social Engineering
Hackers alter digital certificates and use them in phishing and man-in-the-middle (MitM) attacks. For example, let's say an attacker intercepts a mobile banking session using an altered certificate to establish connections on both sides (that is, the hacker sits "in the middle" of the user and the bank). Both the bank's server and the mobile user think they are talking to a trusted entity because the certificate appears real, as it's the digital equivalent of a "fake ID."
To appear even more legitimate, hackers often insert a screen overlay, which is a fake copy of the website to which the user thinks he or she is connecting. Then they record the user's keystrokes to intercept the data or trick the user into revealing info to them. That's one of the methods used in the Rampant Kitten example above to get victims to install the malware.
Data Extraction & Credential Theft
Hackers search for unencrypted data stored in many different locations in a mobile app, such as the app sandbox, clipboard, preferences, resources, and strings. Mobile apps also store authentication tokens, cookies, and user credentials in shared storage areas. Hackers can extract this data easily, especially if it's not encrypted or obfuscated.
Recommendations for Mobile App Developers
Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.
● Harden apps with anti-tampering, anti-reversing, checksum validation, and jailbreak/root prevention. Build in protection against the common tools that hackers use to study, simulate, and learn about your app and all its components.
● Obfuscate your code for both native and non-native apps, including third-party libraries and your code's logic. This prevents reverse engineering.
● Encrypt sensitive data in all places that it exists. The sandbox is not the only place where data lives. Encrypt strings, data in-app preferences, resources, API keys, and secrets. And never leave sensitive data or artifacts in the clear.
● Protect data in transit: Implement certificate pinning and certificate or certificate authority validation to protect against MitM attacks, phishing, and altered certificates.
● Consider "in-app" MFA: Developers can strengthen MFA with biometric security by leveraging in-app FaceID/TouchID on a per-app basis. That way, even if the device PIN code or the MFA solution is compromised, the app is still safe.
Solid security requires a layered defense. MFA is far stronger than a traditional username/password model for authentication, and I encourage its use. But it's insufficient by itself, and lack of app/data protection can actually lead to MFA compromise.