Stop Bad Actors from Attacking Your Mobile Apps

While organizations have increased their investments in cloud, network, and web application protections, many still treat mobile applications the same way they treat traditional endpoints such as desktops and laptops, both corporate-owned and BYOD.

However, the mobile environment can introduce unique challenges, exposing these systems to compromise. For example, attackers will often turn to the following methods to breach a device, steal data, gain privileged access, and misuse the application:

• Repackaging mobile apps
• Injecting malware
• Hijacking hooking frameworks
• Performing overlay attacks

Once a bad actor controls a mobile app, it’s possible for them to take a hop from the mobile-side application to initiate an attack on the server-side applications using automated attacks. Here, they could perform various bad bot attacks such as credential stuffing, account takeover, scraping, and more.

The main goal with any security program is to protect the environment from compromise, but this end state is often driven first by the need to meet compliance standards, such as the following:

• Privacy: GDPR, CCPA
• Payments: EMVCo SBMP, PCI-DSS, and PSD2
• Health records: HIPAA

This reality is why experts from Google Cloud and F5 came together to host a webinar to discuss these challenges and provide a path forward for cloud engineering, app developers, operations teams, and security professionals to work together to ensure mobile app security is managed sufficiently across their DevSecOps programs.

Part of the big picture here is picking the right infrastructure that can support the demands of today’s modern, adaptive mobile apps, while seamlessly extending security and privacy to end users, all without impacting user experiences. Equally important is safeguarding the CI/CD pipeline's delivery process against disruption and delays.

During the webinar, Jess Steinbach, a moderator from ActualTech Media, walked Joshua Haslett, Strategic Technology Partner Manager at Google Cloud, and Peter Zavlaris, Cybersecurity Evangelist at F5, through several scenarios.

Business Leadership

Just because an organization complies with one or more regulations or standards doesn’t mean their mobile apps' risks and legal implications disappear. Similarly, the risk profile for mobile needs to be viewed differently from traditional web apps, but still integrated into the bigger risk picture.

The panel also discussed how business leaders could step up to help determine and calculate the change in risk to the business when a mobile app has the potential to be taken over by bad actors.

IT and Security Operations

IT and security teams have an opportunity to collaborate to better prepare for some of the changes they will need to make to their infrastructure to successfully integrate mobile app security into their development and delivery lifecycle.

Of course, the goal is to do so without significantly impacting tooling, delivery, team structure, or operations. The panel discussed the use of low-code technology to deploy and configure mobile app security and how the findings from previous penetration tests or audits can help them shape the strategy, planning, and communications for a more robust AppSec program that incorporates their mobile apps.

Engineering and Developer Operations

To help this group better understand how the mobile apps they are building can be compromised, the panel described how app repackaging and hooking attacks work, sharing some from-the-trenches thoughts on how engineering and operations teams can coordinate efforts to better protect their apps from these threats.

On a brighter note, the panel also presented how engineering teams can find hidden benefits in their CI/CD pipeline by having a clear picture and plan to address the security risks in their mobile apps. Sometimes security can be more than mitigating risk—in this case; it can also improve processes and outcomes.

The group also discussed some real-world examples to help demonstrate the need to incorporate mobile into the broader CI/CD and DevSecOps process:

• Maintaining compliance: The teams are able to meet regulatory requirements like GDPR and HIPAA with little to no impact on the delivery and maintenance of mobile apps.
• Streamlined operations: IT operations can better handle the increase in mobile threats without burning out the team, tapping into communication best practices with each other and the executive leadership team.
• In-app threat defense: A DevOps team can continuously monitor and assess the AppSec posture to successfully defend against threats targeting their app in runtime, exchanging critical information with the SecOps team to achieve the best response possible.