August 22, 2017

In Defense of the Mobile App

When the first iPhone was released in 2007, Apple hedged its bets by delivering a core set of mobile apps, but also arguably the first fully capable browser on a mobile device. In fact, it wasn’t until a full year later that Apple rolled out the App Store to enable content creators to customize content delivery and user experience for the iOS platform. While mobile browsing traffic sky rocketed, the app paradigm started becoming the preferred interaction model for users. Since the iPhone set the bar, Android followed its example. Similar to how organizations rushed to establish their first Websites back in the late 1990s, many rushed to launch their mobile apps. This trend now has become almost irreversible.

In Defense Of The Mobile App
In Defense Of The Mobile App

Statistics now show that while mobile browsing is still prevalent, mobile apps capture a lion’s share of their attention. If we take a closer look at how we use our smartphones and more recently our tablets, it becomes quite apparent that mobile apps deliver the best user experience. On smartphones, we tend to engage in bursts of activity that are highly topical for that context and while there is more exploration done when using tablets, the interactions are still more highly task oriented than when we use our Web browsers on PCs. Browsing behavior is now taking place on app stores but content interactions and transactions are increasingly occurring over mobile apps.

Given the growing significance of the mobile app, the question is – how do we become well versed in defending them? But before we get into that we must first explore the uniqueness of mobile apps that will influence our approach to their security.

Mobile apps, having emerged during the height of the age old debate between thick client applications and Web/thin client applications, now essentially provide developers a choice to employ the best suited technologies for their use case – Web or native – and still deliver a proven user experience. While there are definitely tradeoffs, mobile platforms support an ever improving Web browser engine that affords developers the flexibility to employ a mix of Web and native capabilities when developing their apps. For native functionality, mobile platforms have introduced relatively new APIs to the scrutiny of developers and hackers alike. The dramatic growth of the mobile app market has attracted new sets of developers with various backgrounds and not necessarily as deeply trained in security as system developers. As demand continues to grow, a skills shortage of highly qualified developers is emerging which impacts the economics of building and maintaining mobile apps forcing enterprises to look beyond their organizations for talent or finished capabilities. Additionally, increasing market pressures has compressed mobile app development cycles.

Mobile operating systems are actually very well designed from a security perspective with their sandboxing model. So assuming the platform is not compromised by either being jailbroken or rooted the traditional concept of viruses does not really apply for mobile devices. However, the growing risk is from malicious logic and/or data injection into a vulnerable app causing the app to become rogue. To give an example, consider an app that scans a QR code and provides some valuable contextually relevant content. These types of apps exhibit business value potential in retail and other solutions. If a malicious QR code is provided as input and without the appropriate controls in the app, the result could be a modification of the app’s behavior during that interaction or be more permanent. Another pervading threat is the classic man-in-the-middle attack where communication from the app on the device to back-end APIs is intercepted to either capture private information or deliver malicious payloads. Other threats to mobile app data come in the form of malicious apps or malicious users with physical possession of the mobile device. They can exploit broken cryptography or basic omission of encryption in an app to extract data stored by the app. Malicious users may also hijack identities to perform unauthorized interactions.

The highlighted security risks for mobile apps exist on all the major mobile platforms, though we observe it occurring with greater frequency on the some more than others. It should be noted that even platforms that have a better market perception of their security due to the vetting process they employ on apps contributed to their app stores do not guarantee that the apps submitted are invulnerable just that at the point of submission those apps do not have malicious intent for the platform. A few lessons to be gleaned from current practices include having a single dedicated channel for app distribution. This prevents malicious apps masquerading as the original to be inadvertently used by unsuspecting users. Another best practice is the rapid delivery of updates when new vulnerabilities are identified. If patches for vulnerabilities are available but distribution and application of those patches have to go through intermediaries that increase response time, keeping apps exposed for much longer. Observe that here we are centering our discussion on vulnerabilities rather than exploits or attacks. This is done consciously since for any single vulnerability there may exist multiple exploits or attacks. The traditional approach to security has been to develop counter measures for each known exploit or attack but this defensive model is untenable. Firstly, the evolving trend is for more targeted attacks which will make it difficult to recognize specific attacks and secondly, the sheer number of possible exploits and attacks may overwhelm resources necessary to counter them all. Rather focusing on shoring up known vulnerabilities and maintaining vigilance on new vulnerabilities shrinks the problem space.

With an understanding of the uniqueness of mobile apps and the risks they face we can begin documenting some necessary steps to defending them. One of the top recommendations is vulnerability analysis of the mobile apps that are developed. It provides some significant return on investment for a number of reasons. To begin with, it highlights to developers parts of their code where they may be introducing vulnerabilities, providing value in both education and risk mitigation. Detection of vulnerabilities during the test phase significantly reduces the cost of making fixes later in the app lifecycle. Additionally, vulnerability testing can build upon on all the insights gained from experience with web applications and add knowledge of new platform APIs. However, choosing the appropriate tools for vulnerability analysis is essential. Overly simplified tools may identify too many false positives wasting developer productivity and making security fixes infeasible given the short development cycles. Suggestion is to select tools that perform full trace analysis by incorporating vulnerability research on available APIs. The next mobile app security recommendation is a robust mobile app platform that provides a consistent app infrastructure for all the apps developed by the organization. This allows an organization to harden assets that can be reused by multiple apps reducing the logic that needs to be vetted for each new app. A mobile app platform should provide mechanisms for validating that apps built on the platform have not been modified or gone rogue and provide a contingency process for either disabling apps or delivering direct updates. It should also provide developers with solidified tools to seamlessly incorporate security during the development process, for example such as data encryption. While vulnerability testing and a mobile app platform can significantly improve the security posture of mobile apps they are not silver bullets.

Security always requires a layered approach. A context aware mobile user security solution that can authenticate and authorize users and interactions is a core necessity. This further simplifies apps since they can offload this security element to a dedicated infrastructure. Policies can be instituted to govern access to the app and its resources based on risk assessments of the context, which can include location, state of the device, other apps, network and even time. Mobile app security can be complemented by mobile device management solutions to help detect jailbroken and rooted devices as well providing the dedicated infrastructure to deliver apps. Mobile security intelligence can help organizations that require it to maintain visibility and vigilance on mobile interactions to analyze security events so they can detect fraud or other malicious activity.

About Vijay Dheap 1 Article
Vijay Dheap, an IBM Master Inventor, currently leads Mobile Security Solutions for IBM. He started off his career as a researcher in the field of Pervasive Computing, and then evolved his technical expertise as a developer on IBM