3 Questions That Can be Answered with App Threat Analytics

Many organizations (wrongly) assume that their mobile apps are protected against security threats if they make the cut for the Google Play or iOS App Store. Unfortunately, that misperception can compromise an organization’s valuable data if apps aren’t properly protected. Fortunately, the right app threat analytics, combined with both static and dynamic code protection, can help prevent potential compromises. Here are three key security questions about your iOS and Android apps that app threat analytics can uncover, and how to solve them:

How are attackers trying to compromise my app or data?

In today’s world of rampant data breaches, a mobile app compromise may not be a question of “if” but “when”. According to Verizon’s Mobile Security Index 2019, more than 80 percent of organizations said they are at risk from mobile security threats, and 69 percent said those risks increased in the last year. Considering that mobile apps contain just as much valuable data as web and desktop apps, there should be more eyes on this problem. A few of the most common mobile security threats include:

• Advertisement hijacking: A mobile app may be modified to display unwanted advertising, which diverts revenue from the app’s developer.
• API key extraction: Keys that enable authentication server communications can be lifted by hackers, granting unwanted access to sensitive data.
• Credential harvesting: Attackers can alter the authentication mechanisms within apps to steal credentials of unknowing users.
• Man-in-the-middle attacks: Online communications that happen within mobile apps can be intercepted and redirected to a third-party, malicious server.   

Knowing the typical ways in which attackers may try to compromise your app, and having the right systems in place to detect and prevent attacks, are key to keeping your applications and data secure.

Is it possible for attackers to reverse-engineer my app?

Reverse-engineering is a common technique for hackers to access and analyze the source code of your mobile application. Hackers often use disassemblers or decompilers to reverse-engineer apps, which are readily available to those with the know-how. This can lead to a range of problems, including some of the common mobile security compromises listed above, as well as cloning and code/IP theft.

Without code hardening, it can be much easier for hackers to reverse engineer apps, either manually or automatically. It’s important to harden code at various levels throughout the application, through multiple layers of obfuscation and encryption. It’s also equally important to protect apps from dynamic and live attacks with Runtime Application Self-Protection (RASP). RASP mechanisms monitor the integrity of the applications and the environment in which they are running in real time. With these additional app threat analytics in place, developers can protect against both static and dynamic attacks.

Can my code be cloned and redistributed?

Fake mobile applications are a common threat for app publishers, particularly popular retail brands that store customers’ sensitive financial data. Many of these applications are running in both sanctioned and unsanctioned app marketplaces, with copies so convincing that thousands of users are fooled. In fact, fraudulent app installs increased from 16.6 percent to 22.6 percent in the first six months of 2019.

App threat analytics and app protection can help developers discover and prevent this type of illicit activity, before it affects customers and harms their organization’s brand reputation. As with reverse-engineering, a combination of code-hardening and RASP are security best practices that are crucial for any mobile app developer to implement.

Want to know more about protecting your apps against all types of threats? Check out Guardsquare’s DexGuard for Android and iXGuard for iOS.