Most organizations engage in a broad range of application security activities across the software development life cycle, such as threat modeling, architectural risk assessment, source code review, penetration testing and application monitoring. These are important controls, but they aren’t sufficient in a mobile environment. Even if all the controls are implemented perfectly and you believe your code is free of vulnerabilities, a mobile app without protected binary code is at risk for a hack and could jeopardize the impact of all your other security work.

The following is a look at a typical hack or app break-in, and the challenges of common misconceptions about app store security.

Isn’t My App Encrypted to Prevent a Hack?

Yes, apps from Apple’s App Store are, in fact, encrypted. Unfortunately, it takes just a few minutes to decrypt an application using freely available tools. This is typically the first step in the break-in for an iOS app.

So, What’s the Big Deal if Someone Gains Access to My App?

Downloaded Android apps (or decrypted iOS apps) provide cybercriminals with access to the app in a binary code format. Apps with unprotected binary code are at risk because it is quite easy for cybercriminals to reverse-engineer binary code back to source code. Imagine your “flawless” app as a highly secure castle. By leaving the binary code unprotected, it’s like providing unfettered access to the information inside, including the blueprint for the castle and all its security controls.

It is also quite easy for cybercriminals to reuse or copycat an application and submit the hacked version to an app store under their own branding as a nearly identical copy of the legitimate application. Columbia University research recently revealed that nearly one-quarter of all Google Play apps are duplicates.

Download the complete 2016 report on the state of application security from IBM Partner Arxan

Isn’t It Really Hard for Cybercriminals to Hijack My Well-Written Application and Take Control to Perform Nefarious Activities?

Unfortunately, no — it’s not that hard to hack an app this way. For example, through method swizzling attacks, cybercriminals can attack critical-class methods of an application to intercept application programming interface (API) calls and execute authorized code without leaving a trace, with the code reverting back to its original form. Essentially, it involves modifying the mapping so that calling API “A” will actually invoke API “B” — and API “B” can store credit card information on another server, capture customer information and be configured to perform any number of unintended and undesirable activities.

You can see examples of these application hacks brought to life via this series of short videos. Sample tools used to perform these attacks are listed in the graphic below.

It’s Time to Secure Your Apps at Run Time

The risk of this typical app break-in is so real that OWASP, Gartner, Forrester and other leading security advisers are stressing the importance of protecting applications, particularly application binary code.

Gartner, for example, recently advised chief information security officers to “make application self-protection a new investment priority, ahead of perimeter and infrastructure protection” and that “every app needs to be self-aware and self-protecting.” Gartner has also identified self-protection as a key technology trend for 2015.

OWASP also sees the importance of protecting applications and their binary code by identifying a “lack of binary protection” as one of its top 10 mobile risks.

Protection against typical app break-ins and even more advanced break-ins can be realized through application hardening and run-time protection. Hardening and run-time protection can be achieved with no impact to your source code via an automated insertion of guards into your binary code. When implemented properly, layers of guards are deployed so that both the application and the guards are protected and there is no single point of failure.

Detailed steps you can take to harden and protect apps at run time are readily available and were reviewed in detail in our recent webinar, which is available on-demand. In this session, we explore typical break-ins in more detail and teach you about the types of guards you can use to protect your apps.

If you think like a cybercriminal and protect your applications against common mobile application attack vectors, chances are that your organization won’t be the next one making headlines by being linked to a significant app break-in.

More from Application Security

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…