Following the news that billions of personal records are at risk due to a mobile app data flaw, please find below comment from Winston Bond, European Technical Manager at Arxan Technologies with his views on this flaw and what organisations should do to ensure they don’t fall victim to an attack.
Winston Bond, European Technical Manager at Arxan Technologies:
“The findings of this research are of no real surprise and whilst I haven’t personally come across this vulnerability, the underlying problem in the development lifecycle that is leaving this kind of data open is something we see frequently in the industry. Ultimately there needs to be a move to make personally identifiable information, passwords or location data harder to find and less easy to exploit. We know developers are under increasing pressures to quickly deliver new or update applications which are feature rich but this means security continues to be pushed to the wayside. The majority of the time developers have relied on the default settings available, making an assumption they will be sufficient, or they copy directly from an existing sample app that does not address the unique vulnerabilities associated with mobile applications and the data they manage.
To stop these kinds of vulnerabilities and flaws from occurring, more robust protections need to be inserted directly into the app at the binary level. Without this level of protection, apps are at risk, because it’s easy for a hacker to reverse-engineer binary code back to source code. With access to the source code, hackers can replicate, extract and make changes. In this case, if binary protection was within the applications, then it wouldn’t have made the passwords and data so easily findable and exploitable. Developers can also implement stronger authentication systems by using whitebox cryptography technology, so services will only talk to the authorised app. It is one thing for the app to be able to talk to the server but the big problem comes when you can extract the password and use anything to talk to the server.
In today’s highly distributed mobile application environment, it’s virtually impossible to secure all the networks and devices that are leveraged, so establishing application protections, particularly at runtime, is essential.”