One of the common themes I’ve seen repeated over and over this year in the security world is the collaboration of malicious actors. Whether it’s via bytes on the Dark Web or cybercrime rings in the real world, there is no shortage of stories about attackers taking advantage of expertise and tools to find vulnerabilities and entries into your network to steal sensitive data. Add in the challenges in mobile application security and the disappearing network perimeter, and it’s game on for attackers.
It’s nice to imagine that security vendors and clients are united together in lockstep, weaving together intricate layers of protection like a complicated halftime marching band at an American football game. The reality is more a sad trombone falling flat. In my band experience, even if the brass section has their act together, missing a beat in the percussion section could throw everyone off their game.
The same holds true in security: Your network protection may be on point, but without mobile application security in lockstep, your network is vulnerable.
Band Camp for Attackers
There are lot of tools and automation techniques available to find common application vulnerabilities susceptible to attacks like SQL injection (SQLi) or cross-site scripting (XSS), which are highlights on the Open Web Application Security Project (OWASP) Top 10. In the recent “The State of Mobile Application Insecurity” study, more than half of respondents believed XSS in mobile apps will increase over the next 12 months.
In an effort to aid application developers, organizations like OWASP provide open-source black box testing tools, but these tools are also leveraged by attackers to find and exploit flaws. Attackers are creative; they harness these and other toolkits, enhance and repackage them, and then sell them on underground black markets to other attackers to potentially infiltrate your network and steal data.
Malware-as-a-service isn’t new; many security firms, including IBM X-Force malware researchers, started reporting incidents of these toolkits more than four years ago. The industrialized revolution of cybercrime is providing over-the-counter botnets, distributed denial-of-service (DDoS) software and other polymorphic malware for less experienced cybercriminals. Malware toolkit enhancements are even being crowdsourced as attackers fund and vote for new features in a community forum, which was the case with the Citadel malware earlier this year. The Dark Web is the practice field — a place to gather and refine their craft.
Know the Drill for Mobile Application Security
While the OWASP tool site offers over 50 tools for testing common vulnerabilities, many organizations lack either the resources or expertise to take advantage of these and improve the security of their applications. In that same Mobile Insecurity study mentioned above, only 41 percent of respondents said their organization had sufficient mobile security expertise — not exactly news we want trumpeted from the rooftops.
Sometimes, however, the good guys do build a tool that helps. In 2014, a researcher at CERT/CC created a tool named “Tapioca” to help automate testing of Android applications as a virtual machine preconfigured to perform man-in-the-middle (MitM) testing and analysis. In the course of the analysis, thousands of disclosures were made for individual applications vulnerable to these MitM attacks. Although the apps were all different, the same fix was required to correct fundamental vulnerabilities.
Developers need more of these same types of tools to help find and remove vulnerabilities before attackers exploit them.
#CoverYourApps Before Someone Else Uncovers Them
The problems facing mobile security aren’t limited to Android apps. To learn more about how to “cover your apps,” register to attend the security webinar on iOS devices titled “The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications.”
Just because Android applications make more noise when it comes to reported vulnerabilities doesn’t mean iOS apps are safe. Watch the webinar to learn how to protect your growing portfolio of mobile applications and keep the band in step.