Mobile app security threats are a hot topic. There is a massive number of mobile apps that use in-app payment transactions, deal with sensitive user data, etc. All of this makes mobile apps the primary target for attackers, and application developers should have security in mind.
As daily usage of mobile phones increments from day to day, mobile app security is becoming a huge aspect that needs addressing when developing applications. It is not true that only banking-related (and similar) applications should be developed with security in mind. There is a massive number of mobile apps that use in-app payment transactions, deal with sensitive user data, etc. All of this makes mobile apps the primary target for attackers.
RASP (Run-Time Application Self-Protection) has a crucial task in securing mobile apps because it can detect attacks in runtime, i.e., while the application is running. This means that active attackers will be stopped in a certain, chosen way. Some of the real-time scenario attacks on mobile apps in runtime, which will be detected by the App Protector SDK (ASEE’s implementation of RASP SDK), are listed below.
When using an emulator device, sensors are also emulated and can be tweaked to produce artificial values of users choosing. This can propose mobile app security threats to mobile applications that rely on location sensors, or applications that use behavioral authentication. Behavioral authentication identifies the user based on unique patterns exhibited when the user interacts with the device. Some of those authentication implementations use sensor readings as part of the user identification (e.g., location sensor – users' country). Although it has questionable practicality, hypothetically speaking - sensor value tweaking can weaken the beforementioned kind of authentication, if not completely bypass it.
Another popular mobile app security threat is hooking. Hooking an application will allow an attacker to change the application behavior in the application runtime (e.g., when the user is interacting with the application). Let’s say that the victim (let’s call her Alice) tries to send the money to a person named Bob via some application. An attacker, named Kevin, will try to redirect this payment to his account. Firstly, Alice will input Bob’s name, account number, amount, and some other data required. Alice will then press the “Send button” and confirm the transaction with her fingerprint. She doesn’t know, nor see, that Kevin managed to hook the application she was using, and change the name and account number parameters in the background (to match his name and bank account). Alice just sent Kevin (instead of Bob) some amount of money, and she has no clue how this happened.
It is the owner’s and developers’ job to make sure that the security of mobile application is at the highest level possible so that users can seamlessly use the application without security concerns in mind. After all, users should never worry about the app’s security because they are only customers using your application. This is why RASP implementation is an essential part of today’s mobile app implementation.
App Protector is a RASP SDK by ASEE; which is easy to implement and consists of both offline and online modes of work. App Protector will safeguard the application from runtime mobile attacks, and its configuration reacts to detections by using a detection-reaction configuration. For example, App Protector notifies the user in case of debugging detection; or terminates the application in case of hooking, such as Frida injection.
In online App Protector mode, the administrator can access the GUI through which all of the organization's applications are analyzed and managed. Analyzing the application includes inspecting parameters related to app attacks, such as the number of attacks, attack type, etc. On the other hand, managing the application includes altering the detection-reaction configuration for a certain mobile app. This will result in a real-time update of the detection-reaction policy applied on the end-user's device.
If you would like to know more about available reactions and learn how to protect your mobile application by using the App Protector solution feel free to contact us. Our team is happy to walk you through the whole process of making your mobile application secure.
Author: Vito Medved (Android developer), ASEE.
Vito is one of the App Protector SDK developers, also works on authentication-related projects such as Mobile Token SDK. Interested in cybersecurity and authentication.