BLOG

Stop Bad Actors from Attacking Your Mobile Apps

Beth McElroy Miniatura
Beth McElroy
Published August 23, 2023

Mobile malware and other malicious activity continue to plague mobile users as they try to shop, bank, check their health, and more—all from their phones. While the end user has their role to avoid falling prey to attack, it’s ultimately the responsibility of the app providers—the product team, operations team, and privacy security teams—to ensure that the mobile environment stays safe. The sensitive data flowing through these mobile apps must also be kept away from unauthorized, prying eyes.

Mobile Risk is Slightly Different

While organizations have increased their investments in cloud, network, and web application protections, many still treat mobile applications the same way they treat traditional endpoints such as desktops and laptops, both corporate-owned and BYOD.

However, the mobile environment can introduce unique challenges, exposing these systems to compromise. For example, attackers will often turn to the following methods to breach a device, steal data, gain privileged access, and misuse the application:

  • Repackaging mobile apps
  • Injecting malware
  • Hijacking hooking frameworks
  • Performing overlay attacks

Once a bad actor controls a mobile app, it’s possible for them to take a hop from the mobile-side application to initiate an attack on the server-side applications using automated attacks. Here, they could perform various bad bot attacks such as credential stuffing, account takeover, scraping, and more.

The main goal with any security program is to protect the environment from compromise, but this end state is often driven first by the need to meet compliance standards, such as the following:

  • Privacy: GDPR, CCPA
  • Payments: EMVCo SBMP, PCI-DSS, and PSD2
  • Health records: HIPAA

This reality is why experts from Google Cloud and F5 came together to host a webinar to discuss these challenges and provide a path forward for cloud engineering, app developers, operations teams, and security professionals to work together to ensure mobile app security is managed sufficiently across their DevSecOps programs.

Part of the big picture here is picking the right infrastructure that can support the demands of today’s modern, adaptive mobile apps, while seamlessly extending security and privacy to end users, all without impacting user experiences. Equally important is safeguarding the CI/CD pipeline's delivery process against disruption and delays.

Different Viewpoints Matter

During the webinar, Jess Steinbach, a moderator from ActualTech Media, walked Joshua Haslett, Strategic Technology Partner Manager at Google Cloud, and Peter Zavlaris, Cybersecurity Evangelist at F5, through several scenarios.

Business Leadership

Just because an organization complies with one or more regulations or standards doesn’t mean their mobile apps' risks and legal implications disappear. Similarly, the risk profile for mobile needs to be viewed differently from traditional web apps, but still integrated into the bigger risk picture.

The panel also discussed how business leaders could step up to help determine and calculate the change in risk to the business when a mobile app has the potential to be taken over by bad actors.

IT and Security Operations

IT and security teams have an opportunity to collaborate to better prepare for some of the changes they will need to make to their infrastructure to successfully integrate mobile app security into their development and delivery lifecycle.

Of course, the goal is to do so without significantly impacting tooling, delivery, team structure, or operations. The panel discussed the use of low-code technology to deploy and configure mobile app security and how the findings from previous penetration tests or audits can help them shape the strategy, planning, and communications for a more robust AppSec program that incorporates their mobile apps.

Engineering and Developer Operations

To help this group better understand how the mobile apps they are building can be compromised, the panel described how app repackaging and hooking attacks work, sharing some from-the-trenches thoughts on how engineering and operations teams can coordinate efforts to better protect their apps from these threats.

On a brighter note, the panel also presented how engineering teams can find hidden benefits in their CI/CD pipeline by having a clear picture and plan to address the security risks in their mobile apps. Sometimes security can be more than mitigating risk—in this case; it can also improve processes and outcomes.

Real-World Examples Illustrate the Value of Taking Action

The group also discussed some real-world examples to help demonstrate the need to incorporate mobile into the broader CI/CD and DevSecOps process:

  • Maintaining compliance: The teams are able to meet regulatory requirements like GDPR and HIPAA with little to no impact on the delivery and maintenance of mobile apps.
  • Streamlined operations: IT operations can better handle the increase in mobile threats without burning out the team, tapping into communication best practices with each other and the executive leadership team.
  • In-app threat defense: A DevOps team can continuously monitor and assess the AppSec posture to successfully defend against threats targeting their app in runtime, exchanging critical information with the SecOps team to achieve the best response possible.

Stop the Mobile Attack Madness

If you’re curious how your mobile app security program stacks up against the real-time runtime threats targeting these systems, check out the on-demand Stop Bad Actors from Attacking Your Mobile Apps webinar.