Thought Leader Series: App security failures and what’s being done to take preventative measures

3 min read
Aug 23, 2017

The one-man, ace engineering wrecking crew – If you have a problem, if no one else can help, and if you can find me, maybe you can hire… the Cabe-team.

App developers, especially those in the Android community will undoubtedly know these identifiers:

CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 and CVE-2015-3864.

Those collective CVEs or Common Vulnerabilities and Exposures are a group of codes that are collectively known as the Stagefright bug, which compromised the security of about one billion Android users worldwide in April of 2015. The bug allowed hackers to gain access to the devices through MMS video messages, which exploited vulnerabilities in the device’s firmware. While the stock Android messaging system kept the exploit at bay until the user opened the message, others such as Hangouts have a media pre-processing function that triggered the exploit without the need to open the attachment.

Continuing on the numbers trend, app protection company Arxan released some startling figures for their ‘State of Application Security’ report for 2016. The company’s infographic reports that 90% of 126 medical and financial apps were vulnerable to at least a minimum of two OWASP security tests. The Open Web Security Project is an online community specializing in creating publications and tools for web app security. Their findings have shown that 84% of FDA-approved (medical) apps were vulnerable to at least 2 OWASP top 10 security risks as well as 80% of previously NHS approved apps were also susceptible. Arxan found that 98% of those apps tested lacked any form of binary protection- meaning they could be easily modified or reverse engineered and 84% of those apps had poor transport layer protection, allowing for data and identity theft.

Mobile device apps are just one example of security failures that can result in everything from identity theft to hacked bank accounts. Sure, the prospect of having our vital information in the hands of unknown hackers is a disturbing thought, others are downright frightening such as wirelessly taking control of a vehicle. Wired reported in July of 2015 that a pair of security experts were able to take control of a Jeep Cherokee using a ‘zero-day’ exploit.

The pair controlled the vehicles radio, wipers- every dashboard function- including the radio, seats as well as the windshield wipers using a laptop, wireless connection and specialized software code, a closely guarded secret for sure. Along with the aforementioned functions, the code also allowed them to send the vehicle commands through the entertainment system and corresponding apps and demonstrated their ability to commander the smart-vehicle’s steering wheel, honk the horn and even disable the brakes! More “smart cars” are opening up to app development, and in turn open to the digital underbelly.

Those are just a few examples that concern app developers and with the constant advent of new technologies, the race to make them secure is a never-ending battle. Developers are constrained by time and money by their respective companies to get apps out to the consumers, which tends to limit the amount of time spent integrating strong security measures. Developers tend to rely on a stopgap-layered solution in these cases, acting more like a Band-Aid rather than a fix-all. We’ve all seen these in the form of software updates and patches when problems arise due to security or stability.

Stopgap solutions are ‘layered’ solutions, meaning they’re coded on top of the existing application, providing an additional layer of protection. For example, increasing data encryption, which is used to combat brute force attacks aimed at defeating the algorithm itself rather than circumventing it to gain access to the app. 

98% of apps tested lacked any form of binary protection- meaning they could be easily modified.Click To Tweet

App developers who may not be proficient with security can turn to 3rd-party applications from reputable companies who specialize in protection such as two-factor authorization, SSL certificates and, of course, encryption. Companies such as Duo Security, Thawte, Autosend and AWS provide applications and tools that allow developers to not only implement security but also test their strengths and weaknesses. By no means are 3rd-party apps and end-all security solution, however they do provide an added level of protection to an otherwise intrusion susceptible platform.

Finally, developers can implement a strong security platform both during and after the design phase by following a simple set of protocols and measures to deter hackers. Maintaining updated libraries, using a CMS (Content Management System) and using an encryption delivery system is a good start. Going further, using cryptographic hash functions for password verifications and file integrity will help solidify security for end users, filtering user inputs using server-side PHP at the device level will help deter SQL attacks and finally, a secure server will help minimize the risks of data breaches and thefts.

All of these solutions are used by developers to maintain app security and integrity, which evolves with the growing vulnerablility, which is a daily issue that must be contend with. It should be noted that no application is completely secure, there’s always the possibility they will be breached at some point, and while developers are continually doing their utmost to keep them secure, the end-users should be wary of critical information and data they provide to those apps.

Get Email Notifications