7 Ways to Protect Mobile Apps and APIs from Cyberattacks

Editor’s Note: This post originally appeared in September 2021 on Threatpost.

Two critical elements are driving progress in today’s digital economy: mobile apps and APIs. An API (Application Programming Interface) is software that allows applications to communicate and exchange data with each other.

The growth of these two technologies has exposed users and their data to significant security threats, namely:

• Hackers can easily access devices through mobile apps.
• Insecure APIs expose personally identifiable information (PII) to potential attackers.

Mobile app security threats have emerged over the years. Here are some alarming statistics:

• In 2019, 93% of mobile transactions in up to 20 markets were found to be fraudulent and blocked.
• According to Microsoft, 60% of an organization’s devices are mobile and unprotected. The pandemic has led to more teams working remotely and using their mobile devices for work. Research by IBM found that remote teams increase the average cost of a data breach by $137,000.

$8.19 million is the average cost of a data breach.

How Bad Actors Leverage Mobile Attack Surfaces to Hack Your Device

Mobile apps operate on the assumption that legitimate users are using your app without malicious intent. As a result, hackers will use attack surfaces to extract confidential information that they can use to break into your device. There are five attack surfaces hackers target to gain access to your data:

• User credentials
• Application Health
• Device health
• API channel health
• API and service vulnerabilities

The process of targeting your apps

A cybercriminal can launch an attack on the above surfaces through the detailed process we outline below:

Attack Preparation

There are four ways to prepare an attack:

1. Obtain user credentials through phishing, spoofing, and data acquired through the dark web. This data is usually obtained through data breaches and sold to shady web middlemen.
2. Attack the integrity of the app to extract API information and abuse the business function of the app.
3. Abuse device integrity to acquire customer information for malicious purposes.
4. Alter channel integrity to intercept secrets and access application logic.

Attack Execution

After preparing the paths and collecting information, here are the methods hackers use to execute their attack strategy:

1. Use the acquired information to construct valid queries and configure automated tools that target the API.
2. Harvest data using new or known flaws such as fake application forms, links and attachments containing malware.
3. Abuse the business logic of the API to demand more money from users or trick users into making fake purchases.
4. Interfere with the operation of the Service to slow down or deflect user requests.
5. Use the gathered information to alter the app and deploy a modified version to hijack financial transactions, ad revenue, or steal data.

7 Ways to Protect Mobile Apps and APIs from Attackers

Here are the best strategies to protect your mobile apps from hackers:

1. Prevent insecure communications

Trust secure connections only after authenticating the identity of the server request. To authenticate user identities, implement Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols on application transport channels that scan sensitive data such as credentials and tokens.

You should also use certificate pinning and industry trusted certificates signed by trusted CA providers to prevent self-signed certificates.

2. Validate input information

Input validation checks whether credentials and logins are structured appropriately to prevent harmful code from gaining access to your application.

Validation takes place before a mobile application accepts the user’s personal information. This process protects the application from attackers who inject destructive code into your application.

Input validation should also apply to your third-party vendors and partners. Attackers can try to hack your app by impersonating your service provider or a trusted regulator.

3. Secure your app storage

Another avenue attackers can target is your mobile app’s data storage. The vulnerabilities occur in storage locations such as SQL databases, cookies, configuration files, and binary data stores. Additionally, dangerous actors circumvent poorly implemented security features by circumventing encryption libraries. A common avenue that attackers target is jailbroken or rooted devices. When the owner jailbreaks/roots their device, they undermine the built-in security of the gadget, making it easier for hackers to gain access.

To protect your data stores from attacks, encrypt local files containing sensitive information using your device’s security library. You can also reduce the number of app requests and permissions to prevent apps from accessing them.

4. Secure your code

To reduce instances of insecure and low-quality code, enforce secure coding practices such as OWASP Secure Coding Guidelines and use status analysis tools such as MobSF to verify the security of your work during the development process.

Maintain consistent and secure coding principles that do not result in vulnerable code.

Once your code is ready to deploy, don’t forget to apply an obfuscation tool such as ProGuard to put a coat around your work and keep prying eyes out.

5. Implement proper authentication and authorization practices

There are several ways to ensure proper authorization and authentication to protect mobile apps from attacks:

• Always authenticate requests on the server side. Authentication prevents malformed and harmful data from being loaded into the mobile app.
• Use encryption to securely protect customer data and your data, especially if the application requires access to customer storage.
• Always verify the permissions of authenticated users using only backend data. Verification prevents attackers from using similar credentials to access your backend information and APIs
• Use 2-factor authentication to validate a user’s credentials and identity.

6. Prevent reverse engineering by hackers

Reverse engineering is a way hackers use to attack the integrity of an application. To avoid such scenarios, limit the capabilities of the client and keep most of the functionality of the server-side application. For example, reduce user capabilities and client-side permissions to prevent hackers from accessing your code base. API keys are a security risk on their own and are difficult to conceal in a mobile application. So protect their illegitimate use by ensuring that a second independent factor is required by the backend alongside the API key to mitigate the risk.

7. Protect your mobile apps with approval

Approov provides an easy-to-deploy runtime protection solution and protects your mobile apps, APIs and the channel that connects them from any automated attack. It effectively blocks the execution of attacks, regardless of vulnerabilities already known or discovered during testing. Additionally, Approov API Threat Protection verifies the security and authenticity of your app for optimal device protection.

For more information on Approov’s API Threat Protection, try our free demo today.

*** This is a syndicated Security Bloggers Network blog from Approov Blog written by David Stewart. Read the original post at: https://blog.approov.io/7-ways-to-defend-mobile-apps-and-apis-from-cyberattacks