November 21, 2017
The Mobile App Security Challenge
Mobile transactions are growing rapidly, as businesses prioritize digital-first strategies that allow consumers to interact seamlessly across their full suite of connected devices. ThreatMetrix detected a 200-percent increase in mobile transactions year-on-year from 2015-2016. Consumers are at the heart of this digital transformation, demanding slick and friction-free access to the businesses they transact with, whenever and wherever they choose.
Mobile applications are an essential piece of the jigsaw, revolutionizing the way that users transact. Apps create an “always-on” presence for businesses on a device that is with a consumer for the majority of their day. Real-time gaming, checking a bank balance throughout the day or doing grocery shopping on the move has now become commonplace. In the ThreatMetrix network, users are logging in to their bank accounts almost daily via the mobile app, and twice as much as via desktop, illustrating just how integral some apps are to daily life.
Apps also provide quick and convenient access to products or services: the user doesn’t need to type in a web address or, in some cases, a username and password, as apps leverage built-in biometric capabilities of mobile devices for authentication. Similarly, in the workforce space, mobile apps are emerging as the new endpoint, enabling employees to be continuously connected, improving access and productivity.
However, the proliferation of user-owned devices has created an unmanageably wide variety of device hardware and device software architectures. Online businesses are challenged with the task of securing their mobile apps, while having no control over the devices and contexts of their use. The onus is squarely on businesses to ensure that users are who they say they are and that transactions originate from legitimate and trusted users and applications. The challenge is how to ensure a robust fraud and security strategy that does not mar user experience or introduce unnecessary friction at key interaction points.
ThreatMetrix enables enterprises and businesses to deploy a passive authentication solution while actively preventing fraud and detecting possible threats in order to secure mobile apps and mobile app transactions.
The Mobile Threat Landscape
Mobile apps are vulnerable, in part, because they exist outside the security perimeter of the online business. They provide fraudsters with direct access to elements of the merchant’s business process, which makes the business vulnerable to a wide variety of attacks, from OS-level malware in the host device to malicious/pirated third-party apps that can be leveraged to steal sensitive personal credentials.
This diverse landscape of mobile attacks provides cyber criminals with the opportunity to inflict huge damage to business reputation, customer trust and long-term revenue. To compound the risk, mobile app delivery teams rarely have the full spectrum of specialized skills required to address all attack vectors and continuously monitor the threat environment to identify and mitigate new and emerging threats.
A helpful approach to analyzing the mobile threat landscape is to look at the key mobile attack surfaces and understand how each of the specific mobile threats align. This can help businesses understand the security risks of their mobile platform, allowing continuous verification on a transaction-by-transaction basis.
The Mobile Attack Surfaces and Associated Threats
1. The Host Device
User devices can be compromised through rooting/jailbreak, OS level vulnerabilities, malware, misconfigured security settings and malicious third-party apps. Attacks on the host device can include Key Loggers, Remote Access Trojans (RATs) and SMS Interceptors to name a few.
Successful attacks are often a combination of the above threats. For example, a fraudster may begin by executing a mass spam campaign targeting mobile users via SMS or Email. The user is instructed to click a link, which exploits an OS-level vulnerability. This vulnerability could cause a malicious third-party application, such as a Key Logger, to be installed without the user’s knowledge. From that point forward everything the user types, including usernames and passwords, can be transmitted to the fraudster.
2. The Mobile App
Mobile applications can be tampered with or reverse engineered for the purpose of fraud. Reverse engineering can result in theft of API and user credentials. Reverse engineering can also be used to disable security functions, embed phishing attacks or to insert Trojans/backdoors which can be used for remote spying and remote access.
Considering the relative ease with which a mobile app can be compromised, businesses must ensure that they verify the integrity of their mobile app during every sensitive user interaction.
One of the most effective ways to accomplish this is by performing a code integrity check. A code integrity check verifies that no unauthorized code changes have been made, either purposefully by a fraudster or attacker, or unknowingly by malware. This includes:
- Code modification to circumvent security steps such as authentication
- Substitution of method calls to access malicious libraries
- Addition of input fields to phish or pharm personally identifiable information
- API attacks using client server exploits
3. The Web
Web exploits can leverage VPNs, TOR, proxies or bots to spoof identities and mask true IP address / true location. Data breaches, phishing and snooping attacks enable wholesale theft of identity information and credentials. Attackers can acquire these stolen identities and credentials on the dark web or from previous breaches. They can then use the aforementioned location cloaking techniques or botnets to fraudulently register for new accounts via a mobile app, or to attach illegitimate app instances to existing accounts.
These type of web exploits are used to mask true location and true identity of the attacker who is spoofing either stolen or synthetic identities. Driven by identity breaches and identity theft, there is wide-scale availability of all types of identity information and access credentials. Strong device identity and true IP address/true geolocation validation are effective strategies that can be leveraged to verify that each transaction is free of identity fraud and web exploits. The ThreatMetrix solution can help businesses really know who they are transacting with and that the user is not in fact a cyber criminal using a stolen identity
4. The Transaction
Business, e-commerce, banking and healthcare apps contain a rich presentation layer on the front end, and API-based platform integration on the back end. Fraudsters can attack APIs and API transactions to commit a wide variety of fraud attacks, including:
- Man-in-the-Middle (MitM), sniffing and snooping attacks
- Account hijack attacks
- Session spoofing and replay attacks
- Cross device attacks
HTTPs and SSL can be compromised. Network traffic can be intercepted using commonly available software and hardware to mount a MitM attack. All subsequent traffic from the user’s device is intercepted by the attacker and susceptible to credential theft, redirection and other forms of manipulation. These sophisticated, stealthy network attacks are difficult to detect, and are frequently executed without the user ever realizing they have been compromised.
Achieving End-to-End Mobile App Security
As mobile transactions continue their upward trajectory, businesses must prioritize a robust mobile security strategy that can verify the trustworthiness and integrity of every mobile app transaction. This solution must be able to detect instances where the app has been compromised, the device or transaction has been tampered with or the user is testing a stolen identity.
It is also vitally important that these capabilities are deployed as an integrated service. Deploying multiple point solutions inevitably leads to coverage gaps which can be exploited by attackers. Managing policy setting and generating a unified risk score is also problematic when using multiple point solutions.
The ThreatMetrix Mobile Solution
ThreatMetrix Mobile is a lightweight software development kit (SDK) for Google Android and Apple iOS mobile devices. This SDK can be integrated within mobile applications, detecting any breaches to the application itself and verifying the trustworthiness of the mobile device. Devices showing high-risk anomalies can be flagged for review while legitimate users are recognized in real time and can conduct transactions without additional authentication procedures.
Calls to ThreatMetrix Mobile are inserted at strategic points within mobile applications—usually during login, payment transactions and account registrations. The mobile device is then profiled to provide the following levels of protection:
- Application Integrity Evaluation
Application Integrity ensures that the host application containing the ThreatMetrix Mobile SDK has not been tampered with or modified, either by malware or by a malicious user. Application integrity is validated every time the application is launched to provide ongoing security. ThreatMetrix Mobile also checks other applications installed on the device, reporting their reputation and the presence of malicious code.
- Advanced Persistent Device Identification
Identifies individual mobile devices for both iOS and Android platforms, even if they have been reset or if the application has been reinstalled.
- Malware Detection
Known, trusted applications are seamlessly identified in real time, along with any application containing malware or a poor associated reputation. All connecting Android devices are analyzed to gain deep insight into the reputation of each installed application. These same benefits also apply to the host iOS app that the Mobile SDK is embedded in.
- Location Services
Latitude and longitude information is gathered from GPS hardware and IP addresses are compared with physical locations to detect the use of proxies and VPNs. Existing application permission levels are leveraged to avoid user inconvenience.
- Jailbroken (iOS) and Rooted (Android) Devices
Dynamic jailbreak and root detection technologies determine when device security controls have been compromised.
- Anomaly and Device Spoofing Detection
Detects device emulation, tampering, root/jailbreak cloaking, and other anomalies that may indicate fraud. Automatically detects device and data spoofing by analyzing the network traffic packet signatures originating from the device.
- Dynamic Configuration and Updates
Configuration and threat methods are updated via ThreatMetrix servers, mitigating the need for customers to re-release their applications.
- Easy Integration
ThreatMetrix Mobile can be integrated with very little development effort. It is lightweight and does not impact application performance or impede the user’s app experience.
Full Integration With the ThreatMetrix Platform
ThreatMetrix mobile is underpinned by real time intelligence from the ThreatMetrix Digital Identity Network. The Network harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix stitches together a user’s true digital identity by analyzing the myriad connections between devices, locations and anonymized personal information. Transactions are verified in real time against trusted patterns of behavior: high-risk anomalies are accurately identified for review while genuine users experience minimal friction.
ThreatMetrix Mobile, powered by the intelligence and capabilities of the ThreatMetrix Digital Identity Network, supports all the integrated capabilities that are required to implement a holistic, comprehensive mobile app security framework.
The exponential and sustained growth of mobile transactions has made the mobile channel a popular target for cyberattacks, online fraud and cyber espionage. Mobile apps present new and evolving attack surfaces to criminals. What’s more, the criminal underground, including the dark web, is providing easy access to cyber tools, attack exploits, stolen identities, hosted services, professional services and technical support. Meanwhile, business competition and consumer demand are driving a market need for mobile apps that have increased capabilities and diverse functional access. Within the ThreatMetrix network, for example, nearly 50 percent of financial services transactions are coming from mobile, and mobile transactions grew 568 percent in Q1 2016, compared to the previous year.
There are very few businesses that have the capability to understand and effectively mitigate all the attack vectors across the multiple attack surfaces for all the different device architectures that connect online. There are even fewer businesses who have the capability to mitigate existing attack vectors and also monitor the continuously evolving threat environment to stay ahead of cybercriminals.
ThreatMetrix provides the full set of tightly integrated capabilities required to secure the mobile app business channel and protect the privacy of users, verifying transactions in real time without adding friction to the user experience.