Identifying Holes in Your Mobile Apps Security

June 30, 2015

Mobile applications for both personal and business use are expanding in number and capabilities every day. So it's no surprise they're becoming profitable targets for hackers. Take, for instance, the recent breach of a global beverage retailer's mobile customer loyalty cards.


In May, credit card hackers were discovered targeting the store's gift card and mobile payment users and stealing from consumers' credit cards. The scam didn't require knowing the account number of the card they were hacking. Instead, criminals used customers' mobile payment accounts to access their linked credit cards. Using the auto-reload function, they could steal hundreds of dollars within minutes.


Custom greeting card website Moonpig suffered a similar fate in January. A flaw in its API exposed personal records and partial credit card details for about three million customers, and almost 18 months after it was reported. The failure, discovered and privately reported by a developer, meant that every account and the names, birth dates, emails and street addresses could be accessed by changing the customer identification number sent in an API request. Orders could be placed under any account. Credit card expiration dates and last four digits could be extracted using an insecure API.


Because the crime is so simple, it can escalate quickly, industry-watchers say. Imagine all the auto-reload payment options on many of your favorite customer loyalty cards with the same focus on customer "convenience."


Both cases expose some serious holes in mobile app security, particularly around application-programming interfaces or APIs, a set of programming instructions and standards for accessing a Web-based software application or Web tool.


For starters, each individual developer or group of developers is building their own security into their app, such as login requirements, access and rights. The app is probably caching IDs and passwords locally on the device, too, and that's a huge problem. Not only can users have their personal and credit card information stolen, but also companies can fail audits meant to ensure security and safe mobile application use.


A one-off security approach also means that when you want to change a policy or update security to give new users access to part of an app or specific pieces of data, policy is difficult to change because all of that logic was built into the mobile app. That's not a good thing.


The best solutions for managing access to APIs should have several key characteristics, including replace or extending existing IAM infrastructure to secure web applications and APIs; employing a standards-based approach that eliminates the need for local password storage on mobile devices; and using a proxy-based approach with a central policy server for both web and API access.


In a standards-based approach, a single layer allows a mobile developer to use standards like OAuth to easily authenticate users. In addition a user who is transitioning from the mobile app to the web app, can have his or her identity and access approved in using the same automated process. Developers don't have to code logic into the application in order to change policies -- they simply call up the API.


The good news is - the number of mobile security breaches remains relatively low, according to Verizon's 2015 Data Breach Investigations Report. Of the tens of millions of mobile devices on Verizon's network, only .03% were infected in 2014 by "higher grade" malicious code.


That low percentage "means there's a large opportunity for companies to get ahead of the curve and proactively protect end users," said Bob Rudis, managing principal, security and DBIR lead author, in a press call. "Start getting visibility into security threats on mobile devices. Next, seek control, so when a threat does arise, security professionals can act quickly to remedy it."


Related Resources: