Everyone uses mobile apps. So do your employees. Unfortunately, way too many apps have vulnerabilities and flaws that can potentially put data on the phone at risk (as well as the server-side applications and data).

A report by Ponemon found the average cost of a data breach is $3.86 million. This can be an expensive hit to organizations of all sizes (larger organizations frequently have exposures greater than this).

So what are mobile apps most commonly vulnerable to?

Top 9 Vulnerabilities Of Mobile Apps

Here are the top 9 most common vulnerabilities of mobile apps that you should be aware of:

1. Insecure Server-Side Controls

All mobile apps interact with online/remote services. One of the most common mistakes developers make is to trust their own application data. They think that calls to the back end services from the phone are safe and trusted. This is not true.

Attackers have complete access to their own mobile devices and application data. So protecting the mobile app in this advance world is very important and with API integration this risk increases more, so you need to try Appknox’s API security testing tool and it will reduce the change of apps getting hack.

What does that mean?

That attackers can input malicious data into the mobile application and potentially gain access to backend API services or sensitive controls of the mobile app.

What leads to insecure server-side controls?

There are several root causes including:

• Insufficient security budget
• Rush to market
• Lack of security knowledge
• Prioritizing easy access to frameworks instead of security
• Assuming that the mobile OS is completely responsible for maintaining security

To protect your mobile app from attacks due to insecure server-side controls, never trust inputs to a backend API service, even if they come from your application.

Why?

Attackers can easily communicate with the backend and craft malicious data. All data and requests coming from the mobile device should be treated as untrusted, must be validated, and must be sanitized.

2. Insecure Data Storage

Often, developers assume that malware or users will not have access to the sensitive data stored on the client-side or a mobile device’s file system.

However, file systems on mobile devices are not always trusted. Methods such as jailbreaking or rooting the mobile device can circumvent encryption protections. Also, depending on how data is stored and how that storage is configured, it may be exposed.

Many attacks may originate as a result of insecure data storage, including identity theft, unavailability of data, policy violation (e.g., PCI), loss of data, and in some cases, ransomware attacks.

Valuable data stored on a mobile application can include usernames, passwords, authentication tokens, session IDs, cookies, personal information of the user, debug information, cached data, etc.

To protect your app, avoid storing sensitive data on the phone.

Further, if client-side data storage is required, ensure the data is encrypted using an encryption key that is securely derived from the user’s login credentials. This helps ensure that data stored can only be accessed upon successfully entering the correct credentials.

3. Insufficient Transport Layer Protection

Typically, when a mobile app is created, the app communicates with a server-side application. For example, a bank mobile application will communicate with an application at the bank that processes transactions, receives check images, etc. When this data is exchanged, it will go over a network.

Is it secure?

If the mobile app is designed poorly, attackers could use techniques to view sensitive data while it is traversing in the network. This sensitive data could be passwords, social security numbers, credit card details, and more.

Communication from the app to the server-side app MUST be over TLS (Transport Layer Security). Additionally, the app should pin the certificate to ensure that no one is attempting to intercept and “man-in-the-middle” your communications to the server.

Basically, pinning ensures the mobile app is talking to the correct server application. Additionally, your server applications must be configured to only use the strongest encryption algorithms, protocols, key lengths, and modes of encryption.

4. Poor Authentication And Authorization

Authentication and authorization are two primary security controls that help organizations protect their data and systems.

Weak authentication and authorization can allow an attacker to execute functions within the mobile app that cause data leakage, security breaches, or other severe cyberattacks.

Most mobile apps utilize a single mobile identifier, so that once a mobile device has been registered and authenticated with the back end, the application assumes it doesn’t have to re-authenticate as it is already a trusted device.

However, these identifiers can sometimes be discovered and used to have the attacker perform acts in the name of the victim whose identifier has been exposed.

How can you prevent attacks due to poor authentication and authorization?

You need to find these issues before the attacker does. Utilize security experts to make sure you have strong authentication and authorization controls. This should be done for standard user privileges and is even more important for privileged users (admins).

You should also implement two-factor or multifactor authentication (2FA/MFA) wherein mobile users have to authenticate themselves with two modes of authentication (something you know [passwords], something you have [security tokens], something you are [biometrics]).

5. Unintended Data Leakage

Mobile apps often lead to unintended data leakage. Attackers leverage mobile apps with weak security controls or security vulnerabilities to gain access to users’ sensitive data such as their personal details, credit card information, social security numbers, passwords, etc.

A common example of unintended data leakage in mobile apps is when users grant access and broad permissions to “riskware” apps to access their data.

Riskware apps are legitimate apps that were not designed for malicious activities, but if exploited by attackers – to modify, edit, delete, copy, or distribute data – can disrupt the performance of the application.

Other than riskware apps, attackers could also mimic legitimate apps and once a user downloads the app, they can prompt the user for permission to access their data.

How can you avoid unintended data leakage?

Threat model your OS, frameworks, platforms, to see how they handle the following types of features:

• Keyboard Press Caching
• URL Caching
• Application Backgrounding
• Analytics sent to third-parties
• Copy/Paste Buffer Caching

Monitor your default configuration and apply necessary mitigation controls to avoid unintended data leakage.

6. Client-Side Injection

Client-side injection is when data is inserted in the mobile app that leads to multiple types of injection attacks such as SQL injection, XML injection, javascript injection, command injection, etc.

Like regular data, malicious data is also processed by the mobile app’s underlying framework. Then, if the framework interprets the data as executable, the malicious code is executed. These inputs are frequently at the API layer communicating with the server-side application.

Typically, these malicious codes steal sensitive data such as session cookies, passwords, personally identifiable information, etc. Hence, a client-side injection attack could lead to identity theft, fraud, and privacy violations.

How can you prevent client-side injections?

When designing queries for SQL, make sure that data supplied by the user is passed to a parameterized query. Typically, malicious code often includes “%@” instead of an appropriate parameterized query specifier such as “?”.

To prevent XSS injection attacks, ensure that all UIWebView calls only execute validated input data. Apply filters for malicious characters, use a whitelisting process rather than blacklisting before rendering.

In short, validate and encode all untrusted data prior to using.

7. Broken Cryptography

Broken cryptography takes place when developers fail to implement strong encryption or use weak encryption algorithms.

In the first case, developers use insecure algorithms, which have shown significant security weaknesses or are not effective for modern security requirements. These include:

• MD4
• MD5
• RC2

Alternatively, developers may use the same encryption key for all purposes, may not securely store the encryption keys, they may use insecure key lengths, re-use initialization vectors, etc.

There are many ways that cryptography can be broken. Have a security expert review your code to make sure that you are using encryption safely.

8. Security Decisions via Untrusted Inputs

Often, developers use hidden values and fields or hidden functionalities to differentiate between high-level users and low-level users. Hackers may intercept web service calls and tamper with these sensitive functionalities.

Poor or weak implementation of such hidden fields or functionalities can lead to improper app behavior, granting higher-level privileges to lower-level users or attackers. Attackers can bypass security mechanisms and gain access to users’ personal information and other confidential data on the application.

9. Improper Session Handling

To ensure a smoother workflow and ease-of-access for mobile device users, almost all apps use tokens, which enable users to perform multiple actions without re-authenticating their identity.

Secure apps generate new tokens with each session or access attempt and keep it confidential.

What is the impact of improper session handling?

Improper session handling can result in an adversary gaining access to the session tokens and impersonating the user by submitting the token to the backend server for transactions.

Often this occurs when the user has navigated away from the website or the app. Improper session handling could result in information theft, identity theft, fraud, or business interruption.

To protect your users and app from improper session handling attacks, ensure that you create, maintain, and destroy session tokens properly during the lifecycle of a user’s session.

Final Thoughts

Just like web application security, mobile app security is also crucial for businesses. The times when one could overlook the importance of mobile app security are far gone. In today’s highly interconnected world, attackers are constantly looking for ways to attack users and companies by exploiting vulnerabilities. Now that you know the top 9 threats to mobile apps, ensure that you develop a secure mobile application.

The post Why Are Mobile Apps So Insecure? appeared first on Tech Cults.

The Ponemon Institute asked 605 security experts about any data breaches related to IoT devices in their organizations. In 2017, as many as 15% said yes, their organizations had experienced a cyberattack or data breach due to unsecured IoT devices within the past year. That number increased to 21% in 2018, suggesting a rise in IoT-related security breaches.

Irdeto surveyed 700 organizations from different industries and found out that 80% of them experienced IoT-related cyberattacks in the past 12 months. 90% of these attacks resulted in operational downtime, and compromised data/security of the end-user.

These attacks not only question the integrity of IoT devices, but they also put a massive amount of data at risk. The biggest problem with IoT devices is that there is no set standard of security because of their wide, non-standard purposes.

Securing these devices requires securing their infrastructure that combine to make up the IoT system. These include hardware, sensors, connectors, gateways, and application software.

A typical IoT system needs to be divided into 4 different parts before it can be assessed for threats. These parts have different attack surfaces that need to be addressed to secure the network.

1. Device – Attack surfaces include memory, firmware, USB ports, web and admin interfaces, etc.
2. Communication Channels – Attack surfaces typically include BlueTooth and Wi-Fi.
3. Cloud Interface – Attack surfaces may include poorly encrypted data, default credentials, and weak passwords that are more vulnerable to cyberattacks and security threats.
4. Application Interface – The security level of these apps is as good as the developer developing them and their focus on security. For instance, a skilled developer may create a poorly secured app if they work in an organization that doesn’t focus on security. A poorly secured app will have numerous attack surfaces.

Even though there are many different attack surfaces, as mentioned above, organizations are continually increasing the use of IoT devices. Healthcare, food production, manufacturing, finance, and energy are some industries IoT has remodeled in the past few years.

For instance, IoT devices have enabled remote monitoring of patients in the healthcare sector possible, enhancing the potential to keep patients healthy and safe, while empowering doctors to deliver superlative care.

Another great example of how the IoT has transformed the way industries work is in industrial manufacturing. IoT has taken intelligent devices and networked sensors and put those technologies to use directly on the manufacturing floor, collecting important data to drive predictive analytics and artificial intelligence.

With such a great response, even the manufacturers are rolling out new devices in short periods. The IoT industry was $190 billion in 2018, and it is expected to reach $1102.6 billion by 2026.

This rapid demand keeps developers on their toes to make the devices more and more stable, sometimes overlooking the security part.

The number of devices is directly proportional to potential data breaches. Not just data, the scope of IoT devices goes beyond that as they are capable of actual physical attacks.

For example, if there are IoT security cameras in an organization, they can be hacked to get a blueprint of the floor plan to carry out an organized heist.

With such precarious implications, securing IoT devices has become essential for any organization. Every CISO (Chief Information Security Officer) should be aware of the following practices that can help them secure IoT devices on their networks and minimize the possibility of an attack.

1. Compile A List Of IoT Devices

It is essential to know which devices are connected to your network and what their uses are. While all devices need to be secured, you must prioritize the devices that handle the most sensitive information.

During this discovery audit, you may find some devices that shouldn’t be on your network. These devices could be your employees’, or your partners’ personal assistants, or smartwatches that connected to your secure network.

These devices may have had temporary connectivity, but somehow, they received permanent access. To help secure your business from IoT-related data breaches, identify any such devices and remove them from your network or segment them into a different untrusted network.

2. Build A Collective And Secure Network Framework

There are various stakeholders of IoT devices, and any plan to secure these devices will have to be a collective effort.

Business units will have to work together to secure the devices with multi-layered protection to thwart attackers. At a minimum, the security layers will delay an attacker allowing time for detection and response to a given attack.

It should also be noted that the devices that hold the most sensitive information should be on a separate network altogether. The better you can protect your devices from the network; the more your network will be protected.

3. Inspect And Prepare Your Vendors

Businesses that provide goods and services to you can also cause security breaches on your network.

For example, the infamous Target data breach happened because their HVAC (heating, ventilation, and air conditioning) subcontractor stored network credentials on their system, which was later compromised due to an IoT-related attack.

Your vendors can put you at risk of an IoT-related data breach. Which is why it is essential to have a vendor risk management program.

Many security teams find it difficult to monitor what data their vendors and partners store, and how secure their networks are.

54% of respondents in the Ponemon study said that they are not sure if the IoT security policies of their vendors are enough to stop a breach. 44% said that the complications of IoT devices and the number of vendors/partners make this task even more difficult.

The best way to deal with this problem is to identify and test the security levels of any IoT product you buy for your enterprise.

If you find the security provided by them is sufficient, you can put it in the contract to make sure that they continue to provide the same level of security.

Test their commitment every year, and let them know of any discrepancies related to their network and system security. If they fail to fix it in the stipulated time, you can hold them liable for breach of contract and look for other solutions that are committed to security.

4. Use Certifications And Develop IoT Security Expertise

IoT vendors will go out of their way to tell you how secure their devices are. They may boast about their various certifications but be unable to provide validation because of the complex nature of IoT devices.

There are some organizations like NIST and Underwriter Labs (UL), that are developing standard certifications for IoT devices. While they may be far from a definitive result, they are working towards the same goal – to develop a standard for IoT devices that will help prevent IoT-related data breaches.

Until these organizations find a final result, IoT security should become an integral part of your overall efforts at securing your company’s network. The standards set by the manufacturers are not yet enough.

Securing OS and firmware from IoT devices, and providing API security to third party integrations are some of the most critical parts of this process.

5. Carry Out Regular Audits And Drills

Internet-related threats are developing and multiplying every second. The best a CISO can do is to regularly study these threats, and equip all devices with the latest security patches for known threats.

However, it is often difficult to patch these devices so it is recommended to have a patch strategy or be able to pull them offline easily to avoid disruptions in user experience or causing unplanned downtime.

Constant monitoring of IoT devices can also help you detect attacks at an early stage and limit the damage caused.

Cyberattack drills can also help you prepare for the worst-case scenario. Simulate an IoT-related breach through a different form of attack every time to keep your security team prepared. Document every detail, and try to beat your achievements from the previous drill to improve your responsiveness against such attacks.

No Time To Waste

Setting up various forms of security measures, like firewalls, spam filters, two-factor authentication, etc. will be of no use if you leave the IoT backdoor open.

The time has come for manufacturers to pay equal attention to the security of their devices as to any other part of their business.

At present, IoT security may feel like a completely unorganized area, and that is partially true. The more time companies waste, the more data breaches will happen because of IoT devices.

Standards for IoT security need to be set so that organizations can continue to use these devices without hesitation.

The post 5 Ways To Secure Your Business From IoT-Related Data Breaches appeared first on Tech Cults.