Top Attack Vectors for Mobile Threats
According to Statista, consumers downloaded 230 billion mobile apps to their connected devices in 2021, up 63% from five years prior. Even more jarring, these numbers account for only first-time downloads and exclude re-installs and installed updates to these same applications. This type of hyper-growth was fueled, in part, by the global pandemic. As a result, developers had to push out new apps to meet these unique environmental demands, as well as new features and improvements to account for the change in the way day-to-day tasks were to be completed. With such fast-paced development, it left the door open for a reduction in quality leading to self-inflicted issues or room for a third party to gain unauthorized access to systems and information. Unfortunately, a number of high notoriety apps proved this to be true.
Let’s take a look at how prevalent these types of breaches are, what the attack vectors were, and how you can better secure your apps moving forward.
How prevalent are mobile security threats?
One of the largest corporate team collaboration tools, Slack, fell victim to a data breach. A bug within their “Shared Invite Link” was found to be transmitting a hashed version of the user’s password. While Slack denied that clear-text versions of the password were made accessible, they forced those affected customers to reset their passwords and wipe app data logs.
Users of a mobile banking and payment app by Klarna found themselves confused as they were briefly exposed to different users’ account information. Given the nature of potentially sensitive information being shared, the company had to lock down the service until the issue was rectified.
Apple and Google found themselves in hot water as well with flaws found in iMessage and 13 popular Android apps, respectively. The iMessage flaw exposed all of its 900 million active users to spyware granting access to the device owner’s photos, messages, personal data, and location. The Android apps’ issues exposed personal data including, emails, chat messages, passwords, and photos of as many as 100 million users.
Even a private Canadian COVID vaccination passport app, Portpass, found itself in harm’s way when ineffective data storage led to personal unencrypted data being made accessible in plaintext. Hackers were able to gain access to the data of 650,000 users.
As the number of devices and app downloads skyrockets year-over-year, the attack surface expands along with it. Mobile application security threats have never been more prevalent.
What are the common attack vectors?
The data breaches outlined in the previous section highlight how important it is for developers to remain vigilant in their coding practices. Organizations such as The OWASP Foundation work to improve the security of software and bring to light common vulnerabilities, including those found in mobile applications. Alongside the list of popular risks are the associated attack vectors, security weaknesses, technical and business impacts, as well as information on whether you may have such a vulnerability and how you may go about protecting against it.
The breaches outlined above fell perfectly into some of the OWASP Top 10 mobile risks buckets:
- M2: Insecure Data Storage – Portpass app
- M3: Insecure Communication – Google apps
- M5: Insufficient Cryptography – Slack app
- M7: Client Code Quality – Klarna banking and payment app
- M8: Code Tampering – Apple iMessage
Just from these few examples, we can see how commonplace some of these risks are. Five of the top 10 are showcased in these apps alone. Many more fall victim to these issues, as well as the remaining five. It’s critical for every developer to familiarize themselves with these mobile risks to ensure they’re well-equipped to build and release secure applications.
How can you ensure your apps are secure?
The most proactive approach development teams can take is to get their code audited. There are professionals out there who assist in identifying these vulnerabilities so you can address them before they become catastrophic.
If any issues are found, taking immediate action to rectify them is crucial. Teams will need to strategize ways to best mitigate these risks. This could involve looking inward to the internal development team for fixes and improvements, or it may mean seeking external solutions where subject matter experts handle the problem via their services. Ionic’s Enterprise SDK is just one example of how invaluable a trusted external partner can be to your development team. Ionic’s professional support and advisory services ensure teams reach their goals, avoid technical debt, increase performance, and improve their mobile app’s security.
Ongoing security training and keeping the development team up to date on best practices are effective strategies for keeping apps secure. An informed team is better positioned to make reactive, as well as proactive, decisions on mobile app security risks.
For thoughts on how to best address and mitigate these risks, take a look at How to Address Mobile App Security Risks.