Don't assume apps are safe: why app security is becoming crucial
As the app world continues to grow and become a more complex beast, the threat of attacks from cyber criminals naturally becomes more acute. Indeed, while it was once assumed that mobile apps were less of a target than insecure websites, it’s now clear that isn’t the case.
Take, for example, the recent CallJam case. Back in September 2016, the Android app managed to infect around 2.5 million users after it sneaked its way into the Google Play store undetected. In a nutshell, the app used a suite of games to entice users into downloading the product which was actually a front for malware.
Once infected, a victim’s phone would generate fraudulent calls to premium phone numbers and also bombard their phone with malicious ads. Although the app was removed by Google once the security issue was discovered, the damage was already done. Beyond this latest attack, we’re now starting to see more vulnerabilities appear in apps.
Apps Are Evolving, But So Are the Threats
As outlined by IBM security engineer Paul Ionescu, application development is “moving more and more onto the web” and that poses certain problems for developers and website owners. According to OWASP’s most current list of leading security threats for apps, injections are the most common vulnerability. The most potent form of attack is the SQL injection which, as Incapsula points out, occurs when a criminal uses “malicious SQL code to manipulate a backend database.”
With SQL injections accounting for 8.1% of all data breaches in 2014 and additional data from the Ponemon Institute suggesting the figure could have been as high as 54% for some businesses in 2015, there’s clearly an issue. Indeed, with apps vulnerable, provisions such as web application firewalls (WAFs) are more important than ever.
Indeed, web application security through a WAF is a simple and secure way for businesses to protect themselves. Through a combination of hardware and software solutions, those with an app can meet the key criteria for PCI DSS certification and, therefore, reduce their risk of infection from SQL injections.
Don’t Just Assume Apps Are Safe
Moreover, because WAFs don’t require any reworking of an app’s internal mechanics (as it resides on the edge of the network), it makes them a viable solution for app developers, large and small. In light of recent events, this sort of protection should now be seen as a standard for anyone offering an app. September 2016 alone saw malicious apps attack 45 major brands across a range of industries, including banking and finance.
Apps are now a fundamental part of our online experience. Whether it’s through our mobile devices or desktops, apps now provide access to more information, services and entertainment. However, as is often the case, increased activity creates unwanted attention from cyber criminals and hackers. With SQL injection attacks continuing to rise, security now needs to be at the forefront of everyone’s mind.
Whether you’re a developer, a business, or an end-user, simply believing that “apps are safe” is no longer viable. Fortunately, if we’re able to use combination of education and action to thwart the criminals, then incidents like the CallJam one should become a lot less of an issue in the coming years.