Mobile app security: Threats, trends, and what lies ahead
We recently published the very timely OneSpan Global Mobile App Security Vulnerabilities Report - The State of Mobile App Repackaging, in collaboration with Promon Research. The research team tested 384 of the world’s most popular finance apps to assess vulnerability to repackaging attacks—across banking, crypto, payments, financial services, and more.
Repackaging attacks inject code into an app, or modify an application’s existing code and then repackage it into an application that can execute. They’re a fundamental starting point to removing existing in-app security, providing easy access to reverse engineering of any proprietary code and intellectual property.
I interviewed OneSpan Field CTO Dan McLoughlin, to discuss the findings of the report, as well as important context and takeaways. The recording is below, and a lightly edited transcript follows.
Enterprises face so many security threats. Why prioritize mobile app security? Why now?
"For the majority of customers, the mobile app is the first touchpoint and shop window into an organization, so it's really important that you get your mobile app right. A lot of people spend a lot of time and money on making sure the user experience is good. Unfortunately, sometimes that means things like security gets left by the wayside. Trust is just as important.
"Furthermore, the reputational damage that can come from an app that's leaking data or potentially funds, is huge. I think the reason we're seeing the need to prioritize app security now, is because you've got to maintain trust as well as reputation."
The research indicates that roughly 6 out of 10 financial applications are vulnerable to repackaging attacks. How did we get here?
"I think it's a factor of the way that mobile applications took off. If you look at things like the financial sector, it took years for online banking to become hugely popular, and then just months for mobile banking to reach those same levels. So there was a huge drive for rapid app development in the financial sector.
"Some of the traditional methodologies for mobile app security have all been about data at rest, and data protection at rest—so we're looking at things like encryption and code obfuscation, and they're really important. But that leaves out another really important element, which is that when the app is running, it's also vulnerable.
"There’s another thing, which is that the mobile app is the shop window, as we've said already, and it’s the main data point that many people have regarding the way they work with an organization. So it's really important that the usability be high. And because mobile app developers are not always security experts, they don't necessarily add all of the security features that are needed into your mobile application.
"Also, some of the shielding techniques that are out there to protect applications have been difficult to use in the past, which has maybe put people off. They don't want to impede the user experience, so maybe some misconceptions around how to secure an app properly without changing the usability are also part of the problem."
So what's your advice? What can app developers do to secure their mobile apps?
"Firstly, follow the best practice standards. You can use organizations like NIST to look at the best practices for security in general, and you can also use tools from Apple and Google, which provide security tools as well.
"We can add security without ruining the user experience – sometimes adding security enhances the user experience as well."
"But realistically: speak to security professionals. That's their job, to secure things and make sure that your applications are secure. I know sometimes it seems scary, because people are worried about the user experience being diminished when you start adding security. But that's not always the case. We can add security without ruining the user experience – sometimes adding security enhances the user experience as well. So it’s really important to speak to professionals who are used to doing the job and understand how that works. It's that marriage of user experience and security that's really important."
Beyond this tactical adjustment, how should enterprises change their strategy for the mobile channel?
"The mobile app is the shop window that you present to the world, so your strategy really has to be around that mobile experience, and also your reputation, as we mentioned before. You've got to remember that your customers are using this often. They don't necessarily want to be feeling that things are invasive, but they also want to feel that there is a level of security. That's the other thing: users will expect to be protected. They're not expecting to lose data or funds, or anything through your mobile application. They see it as your environment, in their mobile device.
"So if I'm using a banking application, I'm expecting that application to be protecting me and all of the funds that I access through that application. The same applies to other applications where I've just got data stored, etc. We have that sort of inherent trust in the providers to provide that security, and so financial institutions should always think around that when developing applications: your customers are expecting it from you, and if you lose that trust you'll lose your customers."
Can you give us a sense of the mobile threat landscape and what to expect in the year ahead?
"I expect more data losses. We're seeing this constantly in the news—you see data losses through all sorts of different mechanisms, and mobile will be no exception. Just as it's the best gateway for us to use to get access to our data, it's also a gateway for malicious actors to try and utilize to get access to data. So we have to be really careful about that. The targets won't just be in the financial sector — data is just as important. We've seen this time and again, and it will continue to be a factor into the next year or so.
"You see data losses through all sorts of different mechanisms, and mobile will be no exception. Just as it's the best gateway for us to use to get access to our data, it's also a gateway for malicious actors to try and utilize to get access to data."
"Access to your data gives access to an identity, to a degree. So we have to be really careful about that as well. If you can get access through the mobile application, you can gain access to data, which you can then use to access other things, and that's how a lot of this is done.
"You'll also see more runtime attacks in the mobile apps themselves. It's not just going to be the app sitting on a phone, with the phone under attack. It's going to be with the application itself, while it's running. Because there is vulnerability when it's in a running state, and we need to protect that just as much as when it's at rest."
What trends do you see that can help us understand what lies ahead, 5 or 10 years from now?
"If we look into the crystal ball we’ve got to start thinking about where Web3 comes into play. We're starting to see elements of that. We've got blockchain, we've got the crypto world in a strange situation at the moment, with very high-profile crashes of exchanges, etc. But the underlying technology is still a fundamental part of what's going to make the internet moving forwards, and there is no issue with the actual underlying technology. So we are going to see more things like wallets and self-sovereign ID, where you take ownership of your own identity and use the blockchain to verify that.
"We see that coming, but we've seen that coming for a long time, so it's difficult to say it's going to be 5 or 10 years from now - the real blocker is usability again. You can go all out on Web3 right now, but you have to be really engaged in that technology and understand in-depth how to use the technology. There's no simple user interface for Web3 technologies right now, and that's where we are with a sort of web 2.5, as people call it, where you've got wonderful user experience wrapping around the technology that we already have. People aren't willing to give up on that experience. So we will see these things in the future—it's just really difficult to say when.
"Some of the other things that we're going to start seeing are around trusted identities. Identity is going to be a big thing moving forwards. Accountability as well. And you might see this in social spaces as much as you will in important financial transactions. We see so much fraud at the moment through impersonation and social engineering, that it's going to be really important that impersonation be very difficult to do online, so people can then prove identity in multiple situations.
"When you sign up for a financial app right now, you'll have to go through some sort of identity proofing. But in the future, maybe to use social apps, dating apps, etc., you may not be able to do as much unless you provide your full identity to that application for safeguarding of individuals, etc., and just to remove some of the anonymity online. That's a challenging space, as a lot of people want to hold that privacy element. And I think that's something that is going to happen over the years we'll see this balancing act where it's necessary to prove identity. You may be able to browse anonymously certain things in a social experience, for example.
"But if you want to engage, or if you want to go to another level, then identity might have to be provided. So we'll see different types of identity proofing and identity trust mechanisms moving through over the next 5 years, and possibly even identity aggregation. We're already seeing now that you can get identity provisioning in certain countries — in Belgium, for example. You may start to see aggregation of identities, where organizations can help you use your trusted identity in one area to re-enable that trust in something else — an aggregation of your different identities, and your self-sovereign identity as well, because there has to be an element of trust in that, too."