As our society increasingly uses mobile devices for financial transactions, information sharing, and social interactions, mobile devices will become an increasingly attractive target to cyber criminals. Metova’s CTO, Dave Lane, has identified three opportunities to safeguard your users’ information that should be taken into consideration when building a mobile application.
Opportunity #1: Application Shielding
In a traditional IT environment, the perimeter of the network is protected from attackers, but everything running within the network is assumed to be safe. “I see many networks implementing the Cadbury Egg design,” says Ken Groombridge, Metova’s resident Global Information Assurance Certification (GIAC) Security Expert (GSE). “Hard on the outside, but soft on the inside.”
Application shielding, also sometimes referred to as runtime application self-protection (RASP)[1], is the concept of having an application environment — or even the application itself — detect and prevent attacks in real-time. While traditional IT environments may not be able to apply this concept to every application or system, mobile applications can make use of application shielding. For instance, many Android applications will prevent users from performing financial transactions if the Android device is rooted. Properly implemented, application shielding will mitigate many of the in-network risks presented by the Cadbury Egg security approach.
This tactic is especially important for mobile applications, as smartphones and tablets can be carried anywhere. A traveling smartphone user may connect to half a dozen wireless networks over the span of a single business trip, any one of which may house eavesdroppers, network-aware malware, or active attackers looking to compromise the mobile devices of passersby. Even trusted networks such as corporate intranets may contain bad actors.
Application shielding encompasses many possible technologies, but its core focus is on detecting and preventing attacks at the application level. Some application shielding implementations may offer generalized capabilities that work across any mobile app. Others may be incredibly specific, understanding the user- or device-specific inputs that should be accepted or rejected by the application.
Opportunity #2: Context-Aware Security
Context-aware security[2] is the practice of improving security decisions in real-time based upon supplemental information provided by the application, user, device, or environment. The benefit of this approach to security is in understanding the intentions and expected behaviors of users. If an application can understand how, when, and where the user typically uses the application, the application can more easily identify suspicious behavior. For example, a user who reviewed their checking account balance from their credit union mobile app in New York is not going to initiate a transfer from Los Angeles ten minutes later. The account transfer would be seen as suspicious activity, as the user can not be in both cities in such a short span of time.
More device-specific information can be used to make even more informed decisions about what application behavior is acceptable. For instance, it should be impossible for the user to modify application settings while another application is being used: while a remote attacker can modify app settings without viewing the app on the screen, a legitimate user can not. Analysis of typical usage patterns, typing speed, order of operations, and awareness of other software running on a mobile device can all be used to make context-aware security decisions and prevent suspicious behavior.
Context-aware security can be applied at the network, device, application, and user levels. This security tactic is best applied in combination with user analytics and business intelligence: in order to be effective, the system must be able to identify expected behaviors and suspicious behaviors, while scoring the actions of end users and would-be attackers in real-time.
Opportunity #3: Proactive Security Measures
Over the past year, many software libraries used across web servers and mobile devices were found to have critical security vulnerabilities[3]. Zero-day exploits — newly announced security vulnerabilities that may or may not yet have a path to mitigation and protection — routinely rocked the IT security world in 2014, with multiple critical vulnerabilities found in the software that runs the majority of websites and mobile web services. These zero-day exploits often include a proof of concept, and “in the wild” exploits can be implemented in a matter of hours.
These exploits require incredibly fast responses in order to properly protect web services and mobile devices across the globe from information leaks and malicious attacks. These zero-day vulnerabilities underscore the need for a more proactive approach to mobile security, including:
- – fully automated or rapid light-touch responses to newly reported common vulnerabilities and exposures (CVEs)
- – dynamic behavior modifications to mobile applications based on security assessments.
Most mobile apps rely heavily upon web services to store and retrieve data, including the transmission of personally identifiable information and financial account details. If any component of the system — be it the mobile app, web servers, web app, or data network — is vulnerable to a reported CVE, the security and integrity of the mobile app and its host mobile device can be compromised. This necessitates the need for a rapid response to CVEs. In an ideal scenario, secure systems will understand the relevance of publicly disclosed CVEs based on the software running on mobile devices and web servers, and automatically mitigate any risk of exploitation.
This automatic or light-touch mitigation response may take many forms, including notifying security/devops personnel of the disclosed CVE, prompting them to take action. Alternatively, the system may update its own software after verifying the security update is safe: this would require the system to test software updates in a replica of the production environment to prevent the introduction of breaking changes to the system. Further, an automated vulnerability mitigation technique could include allowing mobile apps and web services to dynamically modify their own behavior.
Dynamic behavior modification can be made possible through self-modifying code[4], software that can modify its own instructions. While the concept of self-modifying code has been applied in the past to improve performance of executing code, the same concept can be applied to avoiding unsafe code paths. Leveraging lessons learned from context-aware security, a mobile application would be able to determine that a specific screen, button, or code function is unsafe given a mobile user’s environment. For example, a credit union app’s remote deposit capture functionality might be disabled if the application determines that the smartphone is connected to an unsecured public Wi-Fi network.
Conclusions
Mobile devices will become an increasingly attractive target to cyber criminals as they continue to grow in popularity. New comprehensive approaches to mobile security must be undertaken to address the growing threat. Application shielding, context-aware security, and proactive security measures should be implemented to mitigate the security risks associated with our growing dependence upon mobile devices.
[1] Gartner – Runtime Application Self-Protection: http://www.gartner.com/it-glossary/runtime-application-self-protection-rasp
[2] Gartner – Context-Aware Security: http://www.gartner.com/it-glossary/context-aware-security
[3] Top 10 Security Incidents and Vulnerabilities of 2014: http://www.eweek.com/security/slideshows/top-10-security-incidents-and-vulnerabilities-of-2014.html
[4]Wikipedia – Self-modifying code: http://en.wikipedia.org/wiki/Self-modifying_code
For more information about mobile security, you can check out the previous articles in this series, Attack on Mobile Security and Top Four Mobile Security Threats.
Want to secure your mobile applications, mobile devices, and network infrastructure? Contact us!
