While we discussed “How A Mobile Security Assessment Can Improve Privacy And Security For Users” in a previous blog, we failed to discuss the extent of the reasons and extent of why your mobile applications are vulnerable. It turns out that 10’s of millions of total mobile malware detections trying to infect your mobile apps and hundreds of thousands of new mobile malware show up quarterly as well.
Mobile Application Security Today
Smart phones have become pretty much ubiquitous for the average employee and given they almost always have access to corporate networks; this has become a ripe target for cyberthreats. According to a Security Magazine article titled “2020: The Year of Mobile Sneak Attacks?”:
“McAfee found that hidden apps are the most active mobile threat facing consumers, generating nearly 50 percent of all malicious activities in 2019— a 30 percent increase from 2018. Hackers continue to target consumers through channels that they spend the most time on— their devices, as the average person globally is expected to own 15 connected devices by 2030. Hidden apps take advantage of unsuspecting consumers in multiple ways, including taking advantage of consumers using third-party login services or serving unwanted ads.”
The article is referring to the recently released Mobile Threat Report 2020 from McAfee that reported hackers are using hidden mobile apps, third-party login and counterfeit gaming videos to target consumers. Specifically, the report goes on to mention the following mobile security vulnerabilities:
- Fake security notifications: LeifAccess is known to be distributed via fraudulent advertising and also found uploaded to Discord, a chat service for gamers.
- Abusing accessibility: leveraging the accessibility features in Android to create accounts, download apps, and post reviews using names and emails configured on the victim’s device.
- Ad fraud and fake reviews: using game and app chats to masquerade as a genuine notice with icons are very similar to those of the real apps but serve unwanted ads and collect user data.
- App malware: look out for MalBus hacking legitimate apps and phishing for google account credentials.
The report summarizes their findings as:
“2020 is looking like the year of mobile sneak attacks. Last year, cybercriminals and nation-states increased their mobile attacks with a wide variety of methods, from backdoors to mining cryptocurrencies. This year, they have expanded the ways of hiding their attacks and frauds, making them increasingly difficult to identify and remove.”
And with over 35 million total mobile malware detections in Q4 of 2019 alone, it stands to reason that you will need a better way to protect your mobile apps.
What To Look For In A Mobile App Security Assessment
Analyze your apps, services, and APIs through secure code reviews and penetration testing is now a security mandate. Done correctly, you should be looking for:
- RMF (Runtime Manipulation and Forensic Analysis): analyze the mobile device file system for extraneous data leakage that may affect the application and its users as well as review stored data including databases and files, examine caches and temporary files, and perform memory analysis to identify any leaks which may persist in sensitive data.
- Source Code Analysis: review source code for best SDLC best practices.
- Third Party assessments: analyze any third-party mobile applications your organization uses.
- Dynamic Application Testing: perform runtime hooking and instrumenting of the mobile application, perform sniffing and fuzzing of intents, observe application behaviors, intercept and manipulate traffic, and try bypassing client-side protections.
- Hybrid Analysis; combines source code review with black box (or dynamic) testing.
- Reverse Engineering: will inspect the provided application binary for flaws in compilation and deployment that may be leveraged by a hacker.
Now that you know what to look for, the last decision is to select a trusted partner to provide you an independent mobile app security assessment.
Mobile Security Assessments Made Easy
All mobile app security assessments are not created equal, so working with proven and trusted partners will be a critical success factor to evaluation and selection of an independent mobile app security assessment.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
Let us work with your development and security teams to implement a secure SDLC that encompasses continuous security review and full integration into the development process for your mobile and web apps to ensure security and privacy is the end game. Give us a call to better understand how you can more effectively handle mobile and web app security assessments in order to improve privacy and security for you users, or better yet schedule a consultation today.