Modern mobile hacks are diverse and can be performed by anyone, from an inexperienced amateur to highly skilled teams operating like tech startups. And the danger grows with the market opportunity.
Various hacking methods – including man-in-the-middle (MITM) attacks, mobile app piracy, memory hacking and trojans – constitute a real escalating danger to app developers and consumers. Here is how they work.
Man-in-the-middle (MITM) attacks intercept the data communicated between a mobile app client and the server. They enable session hijacking or data sniffing. Recently, Instagram acknowledged it is particularly vulnerable to MITM attacks after a security researcher revealed the photo-sharing app uses non-secure HTTP (versus HTTPS) to transmit data. This fatal flaw can lead to user IDs, passwords, and photos being leaked.
"Piracy is profitable since there is little development cost and multiple marketplaces that may not be strictly policed."
App piracy occurs when a developer's source code is used to copycat the app. Hardest hit are mobile game developers, who can see piracy of their top games soar up to 90 percent on Android and 87 percent on iOS, respectively. This has forced app developers to adopt the freemium model, which is not without its own set problems.
Piracy is profitable since there is little development cost and multiple marketplaces that may not be strictly policed. Users may choose to download pirated versions for lower or no cost, taking revenue away from the original creators.
Simple internet searches turn up countless memory-hacking tools used to modify an app's data. This can be used for unlimited game cash, higher levels, better scores and to otherwise cheat. This is an unfair advantage and discourages users from otherwise paying for premium game items.
Trojans pose as legitimate apps that secretly contain malicious code. Trojan apps can steal data – including user information and passwords – lock the device and demand a ransom, spam your contact book, or hijack the phone and send out unauthorized premium SMS messages to rack up fees without your knowledge. Even if the app is deleted, there is a chance that the malware was replicated elsewhere and remains a problem.
This list is by no means exhaustive. The ramifications are clear: If hackers want access to your app, there is no shortage of methods.
Most existing solutions focus on protecting server data or the device and don't cover the mobile app. This is a concern, since the app is where the majority of security breaches originate. Why bother locking your bedroom door when the front door is wide open?
Mobile is not a single-step platform. Security should exist on every layer across the entire ecosystem, from app to device, communications, etc. There is no one-stop solution that covers it all, so it is important to ensure security on all layers. There's no foolproof way to prevent all attacks, but there are simple and effective practices that should be employed: Binary level obfuscation; string encryption; server verification (payments); encrypting keys, certificates and tokens – even public keys and source code obfuscation.
App marketplaces have created an unprecedented opportunity for hackers to disseminate malware. Our smartphones and tablets play an ever-increasing role in our lives, which is why developers must do all they can to protect intellectual property and prevent malicious attacks. There are no bulletproof solutions, but there are preventative steps to mitigate risk that are worth the time investment. We as an industry owe it to ourselves and our users to do all we can.
Min-Pyo Hong is founder and CEO of SEWORKS, a mobile app security firm with U.S. headquarters in Palo Alto, Calif.