In my earlier blog, Times are a-changing, I talked about how COVID-19 has impacted the daily usage of mobile apps. The implication being that the increase in daily usage makes mobile apps a much more attractive target for hackers, resulting in an increase the number of cyberattacks.
The facts are in
As it turns out, the FBI issued a public service announcement about this real threat at the same time as I was writing that blog. In the announcement issued on June 10th, 2020, the FBI warns that studies show that since the beginning of 2020, there was a 50% increase in the use of mobile banking. With this increase, the FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.
At the same time, Positive Technologies published the report Positive Technologies: Half of mobile banks are vulnerable to theft of funds through mobile app flaws in which they surveyed 14 mobile banking apps. Among their findings, Positive Technologies found that:
- In 13 out of 14 apps, attackers can access user data from the client-side.
- All 14 of the studied banking apps lacked either code obfuscation or protection against code injection.
From both the FBI’s public service announcement and the Positive Technologies report, we can expect a rise in attacks against mobile financial apps due to increased usage and the fact that many of these apps do not have sufficient defenses in place. What this tells us is that mobile app protection is more essential than ever.
This projected increase in attacks against financial apps likely means trouble for all developers of mobile apps. Once hackers refine their skills against banking apps, it’s a small jump to attacking other forms.
Do I need to protect my app even if it doesn’t contain any secret technology?
Why does the Positive Technologies report identify lack of code protection as an issue? If you have critical intellectual property ingrained in the mobile app, the need to protect this is obvious. But what if you don’t have any key technology integrated into your app. Is it worth the trouble to protect it?
It turns out that there is a need for app protection even if it doesn’t contain any intellectual property. In an earlier blog, I referenced Jane Manchun Wong’s twitter feed. In one of her latest exploits, she uncovered that an app was about to add two-factor authentication and managed to lock herself out of her own account while trying out the feature 12 days early. In this case, it was all in good fun, but imagine if one of your competitors got early insight into product direction prior to official marketing announcements.
In another case, the Irdeto team reverse engineered an Android app and discovered hard-coded credentials which could have been leveraged to understand the Ad framework used and the price paid per impression to the app. Imagine the competitive disadvantage if your competitors knew exactly how much advertising revenue was being gained from your app and how much the app was making per impression.
Lastly, we can look in the news today. What if a competitor reverse engineered your app to leak details around the user analytics or SDKs in order to damage your brand?
What does this mean?
In short, it means that we know from market reports that more and more people are using mobile apps. This is highly likely to increase the number of attacks and a large percentage of mobile apps today don’t use any form of software protection.
If you have key intellectual property or data in the mobile app, the need for software protection is obvious, but there are a lot of additional reasons to apply protection. Ranging from preventing the early release of upcoming features, to securing and protecting sensitive commercial relationships, and to protecting secondary functions within your app from analysis and resulting brand damage.
In the past, software protection was nice to have, but with the increased focus on mobile apps by hackers, you can bet that software protection is now a necessity.