Hacked mobile apps through malicious forgery can wreak havoc not only on your business, but your personal life life as well without taking these preventative measures for protection.
In its broader sense, forgery includes any piece of code introduced into your corporate mobile app without your knowledge and against your purposes, which would lead a third party to gain control of the entire traffic initiated by users who install your app on their devices, and interact with those users.
Forgery and Hacking – the Top Threats for Worldwide Cyber Security
Impersonating a legitimate business has, for a long time, been one of the main modalities in which scam artists and cyber criminals acted in order to gain material advantage or to exploit sensitive data. In the current mobile world, with all its implications on everyone’s personal and professional lives, installing and using a compromised app (whether hacked or a complete forgery developed by cyber criminals) represents one of the highest risks for the users and one of the worst risks of reputation loss for companies.
The risks posed by hacked or forged apps are, indeed, of the highest degree. A research performed by Risk IQ – a company specialized in providing assistance to brands in protecting their image in the web and mobile app environments – found that malware embedded in mobile apps can perform the following:
8,408 apps could record phone conversations
7,188 could access the list of contacts
2,961 could send text messages to contacts
1,148 could install software packages without the user’s knowledge
1,028 could access the precise GPS location of the user.
To this, we have to add the statistics provided by Gartner, a leader in information technology research and advisory, stating that 78% of the Top 100 Android and iOS apps have already been hacked.
The numbers themselves are beyond worrisome, while the actions which hacked mobile apps can pose more than just cyber security risks – they can affect the personal safety of the user.
A new threat: Hacktivism
Hacktivism is the generic name given to individuals or groups – some of the most famous being Edward Snowden, WikiLeaks and Anonymous – which use the pretext of the general good of the masses to hack into confidential data and publish it, without demanding or expecting any material benefits from their actions.
Restricted to web and server databases, hacktivism is now moving territory and targeting mobile phones through various forgeries and malicious code inserted in mobile apps with weak protection levels, according to Motive Security Lab Malware Report. The report, prepared by the Cyber security division of IT giant Alcatel-Lucent, states that: “Mobile malware is increasing in sophistication with more robust command and control protocols.”
What is the response of your company against these threats?
It is impossible to create a 100% safe procedure for building, publishing and monitoring your mobile apps. However, there are certain steps your organization can take to mitigate the risks of forgery and hacked mobile apps. The most salient advice offered by top cyber security specialists are:
1. Create Cross-Protection Levels for Connected Products
Many mobile apps are connected to sub-products which offer the user various functionalities and options. Whether we talk about freemium mobile app models or modular apps, allowing users to install only the basic functions (taking up less storage space) or the full app, all these connected products are open to exploitation. Thus, you should always consider ways of ensuring extra protection to the transport layer between two different levels or modules of your overall mobile app product.
2. Create a Solid Screening Process for All Code Suppliers
A high percentage of hacked apps are developed in collaboration with outsourced suppliers. The relation between the two items is explained by the fact that certain suppliers, who were selected for their low prices, have weak internal controls or, in the case of independent coders, may place extra pieces of codes by design into the app for the purpose of further exploitation.
To avoid inviting the Trojan horse into your mobile app, create a solid and rigorous screening process, most advisably in cooperation with an IT security audit specialist.
3. Implement More Rigorous Session Handling Practices
Users get distracted, or may even lose their wireless connection or battery power. If their logged in sessions on your mobile app remain active, this offers hackers an opportunity to infiltrate and steal user data or even perform transactions on behalf of the user. Implementing rigorous controls for handling timeout sessions will automatically log out users at the moment when the server detects lost connection with the device.
4. Release Firmware Updates according to Security Priorities
Although certain marketing best practices advise against frequent firmware updates, keeping your users’ accounts and devices safe has prevalence over anything else. Whenever your IT department discovers a potential vulnerability and a patch is ready, it should be released to all users as a firmware update.
Protecting your users’ personal and confidential data and keeping them safe from malicious attacks on their smartphones should be your number one priority in building and maintaining your corporate mobile app. It should become a part of your company values and best practices, and reaffirmed at every opportunity in order to maintain your reputation and loyal customers.
Evan Rose is a web/mobile applications developer and entrepreneur. He started Rose Digital, a New York based minority-owned digital agency focused on mobile and single page responsive web applications, in 2014 and since then has built and delivered web and mobile applications for companies like Ford, American Express and Zoetis.