Mobile app protection
PENETRATION TESTING
AND APPLICATION PROTECTION
The manufacturers are confident that no one will care about their app, which is not widely known. It is unlikely that money or user data will be stolen. Some do realize that there is a risk, but continue to skimp on security.
When a new application enters the market, its users must be confident that their sensitive data will not end up in the wrong hands. Large amounts of information flowing through applications and stored on servers are the focus of cyberattacks. This is happening much more frequently these days, which is why protection is needed.
APPLICATION SECURITY TESTING METHODS
Among them we will distinguish four main ones:
THE IMPORTANCE OF SECURING FINTECH APPLICATIONS
According to reports from subject matter experts who have conducted their research in recent years, the bulk of the attacks in 2019 came from the financial sector, which has been the case for four years in a row. Kaspersky Lab also cites data showing that this trend has persisted since 2015.
Participants of the World Economic Forum included hacker attacks in the top five risks in 2019. The Bank of Great Britain gave them a place in the top three, which by the end of the year had changed to the second place.
Today, large commercial banking institutions are able to protect their own applications and systems thanks to their information security departments. However, newly established fintech organizations are not particularly keen on this, which leads to significant
difficulties.
BREAK-INS WITH THEFT
We are working to collect statistics on incidents in areas in which we are well versed. Problems occurring on crypto exchanges and services should be monitored because their main component is web applications. Most cyberattacks occur through these systems.
When you've developed an app, or implemented a tokenization system in the underlying app, know that when you announce the innovation, not only the target audience will know about it, but also the fraudsters. And if you don't have time to test the release for vulnerabilities, criminals are already on target to commit wrongdoing.
THEFT OF TRADITIONAL MONEY
FUNDS AND PAYMENT INFORMATION
Hackers are still attacking banking systems, despite the fact that they are more secure than fintech companies. In 2020, the number of successful hacks on the Asian continent increased. Based on bank card data, the following amounts were stolen from banks in various states:
- India - 462000;
- South Korea - 397,000;
- Malaysia, Singapore, and the Philippines - 235,000.
Cash is also stolen from financial institutions, but these cases are carefully concealed, in order to preserve the existing reputation, otherwise clients will start to leave in droves. If any information reaches the press, it is minimal, and the amount stolen is not specified. This is followed by assurances to clients that their funds are safe. After that, the public stops worrying, realizing that the banks are insured.
Fintech companies that are not traditional banks are much less secure. Vulnerabilities are regularly found in mobile banking apps and electronic payment systems. Recent examples include the following:
At the beginning of February 2020, fraudsters through Paypal's integration with Google Pay were able to pay for purchases in the States with the account of German residents. Paypal confirmed that such a problem existed and had to compensate the victims for all losses.
And in the middle of that year, criminals stole the personal data of almost 8 million users of Dave's mobile banking. This was caused by negligence from Waydev, which supplied analytical services for the company. Due to the fact that financial and confidential information was not present there, the database was in the public domain.
Buying at someone else's expense without authorization
Over the past three years, hackers have noticeably stepped up their attacks on cloud services and online stores. The reason for this is that e-commerce uses customer cards, most of which are tied to their accounts, and clouds contain a huge amount of sensitive data.
The summer of 2019 saw an incident that illustrates how careless app developers are and how professional attackers are. Earlier this month, a Japanese supermarket chain made its customers happy with the ability to make mobile payments through the 7pay app. Hackers got positive emotions as well, and within just one day they discovered a vulnerability there that resulted in the hacking of about nine hundred accounts. Within 24 hours, about half a million $ were withdrawn from the bank cards. The next day the application was shut down, and the affected people were reimbursed.
In the spring of 2020, cyber hackers used an outdated but still functioning NNID authorization system to log into Nintendo customers' accounts. Fraudsters bought the company's products, as well as Fortnite game currency, using a card or PayPal to pay for them with other people's money. 300,000 users were affected, and the company reset their passwords and refunded the money they had wasted.
THE NEED TO PROTECT APPLICATIONS
Owners of companies that do not work in fintech may think that the risks are negligible because their business does not involve the storage and transfer of funds. But this opinion is wrong, because cybercriminals are attracted to anything that is not secure, but can be sold at a profit. First of all, your competitors will want to become the owners of personal data and confidential information. They can buy a stolen database relatively cheaply on the darknet, and then proceed to process the data of thousands of customers. Each compromised account, according to a report by IBM Security, causes a loss of 152 $. Researchers conducted a survey of companies already affected by such actions. It showed that 25600 accounts were hacked and financial losses amounted to 3.9 billion. $.
CONSEQUENCES OF VIOLATION
DATA LAWS
If the theft or leak does occur, you should be prepared to face fines and lawsuits for violating data protection laws. Most jurisdictions have rules that describe possible data problems. Therefore, regulators require data breaching companies to inform them and their own customers, compensate them for damages and pay penalties.
Since late spring 2018, the EU has adopted the General Data Protection Regulation, under which there are two types of fines based on how serious the breach has become:
- Petty. Penalty up to 10 million euros or 2% of the turnover for the year;
- Large. Penalty up to 20 million euro or 4% of the turnover for the year.
In our country, these penalties are much milder. They are regulated by Law No. 152-FZ "On Personal Data". In the event of a violation, an administrative penalty of 75,000 rubles will have to be paid. This responsibility was tightened in July 2017 and is monitored by Roskomnadzor.
Alas, even these fines do not lead companies to focus their efforts on information security. The dynamics of compromised records grows at a gigantic rate year after year, and so far there is no reversal of the trend.
MESSENGER THREATS
Applications that allow users to exchange messages have become commonplace in society, partly replacing calls and texts. Hackers have not been spared, and they are interested in examining messengers for weaknesses.
For 2019, the U.S. National Vulnerability Database was updated with eleven problems that arose on Facebook and were successfully detected by bughunters. The next year was not without similar incidents.
In early spring, WhisperText, which developed the Whisper app, which was created so that users could communicate anonymously, was informed about a security problem. This became known from independent experts, who reported the incident to the public through reporters. An unprotected database of 75TB containing 900 million records was discovered. It had been in storage since 2012:
- User aliases;
- location coordinates;
- ip addresses;
- profile information from the profiles.
At the same time, WhisperText assured everyone that their app is the safest place on the web.
Just a month later, Zoom Video Communications, which created the video conferencing platform Zoom, learned of the bot's existence from a hacker. The scammer detailed that the bot managed to crack the password to a third-party videoconference in half an hour, using a brute-force method. It turned out that there was no limit on the number of password attempts in the web-client, which looked like a six-digit code consisting of digits, which is only a million combinations.
Not even two weeks later, independent researchers discovered the Zoom database, which was sold on the darknet. The email addresses and passwords of over 500 thousand users, conference identifiers, as well as keys and host names were disclosed. And the password matching bug had nothing to do with it.
The emergence of Zoom's conference password protection is due to the fact that because of the increased popularity and volume of the audience, a hooligan movement called zumbombing emerged. People who were bored would break into conferences, where they would create a disturbance through lewd behavior and shocking content.
Password optimization by adding characters did not affect the situation, as these attackers did not pick up passwords. They found them in open sources or the data was provided by decent participants. The passwords were then distributed to groups where zumraids were planned.
If you have no desire to face such problems and end up in the newsfeed, you should apply for a pantest from information security professionals, ahead of the hackers.
MOBILE APP VULNERABILITY
In early summer, a study was conducted on popular mobile apps, showing that:
- High-risk weaknesses in Android in 43%, and in iOS in 38%;
- The error content of Android protection mechanisms is 57% and iOS is 74%.
And generally speaking, more than 3\4 apps fail to keep data safe. Below is a list of the most common vulnerabilities in mobile apps that should be removed.
BINARY CODE
The lack of protection for this code will allow hackers to revert it back to its original form, which should not be allowed. Your application, like Fort Knox, must be impregnable. If the binary code is left unprotected, criminals will gain access to valuable data inside, such as the storage plan and security controls.
Fraudsters can also leave a mobile app under their control and download a version of it to stores, which will contain malicious code and the name of the product will be the same as the official one.
CONNECTING TO AN INTERNAL SERVER
If a mobile app does not use HTTPS to connect to a server to retrieve data, it may become vulnerable. At the same time, SSL methods will be unprotected when they allow any of the certificates, such as an insecure version of SSLSocketFactory, to be used.
Since standard HTTP authentication can no longer be considered secure, we have to protect the REST API with JWT.
At the point of accessing user account data, these tokens will become part of the interactive user login, which will be secure.
DATA REPOSITORY
When user data is stored in an unsecured location, such as Plist files, someone will definitely be able to access it illegally. Accounts and other information should preferably be stored in iCloud Keychain or KeyStore on Android. Information stored locally must be encrypted.
Libraries containing open source code
This component should be regularly updated to avoid security problems. Caution should be exercised, however, because they are considered a vulnerability, which cybercriminals are well aware of, as they introduce malicious code into them. It is not possible to realize that such a library is infected until the automated build processes, which have been configured to apply the latest version, enable it.
No two-factor authentication
If there is no 2FA, it will be dangerous to use such a mobile application, so you should keep this protection in mind. When two-factor authentication is activated, it can prevent hackers who are able to guess an ordinary password for a user's account. One-time passwords will keep the application safe and make sure that the account stays safe and sound.
WEB APPLICATION VULNERABILITY
According to a study of the most popular web applications, which was conducted in late winter 2020, it was found that 90% applications allow people to attack using them, 39% sites allow illegal access to the application, and 68% applications can provide your data to fraudsters. Let's focus on the most common web application vulnerabilities that should be avoided.
CMS WEAKNESSES
When you use popular content management systems such as WordPress or Joomla, you have to keep in mind that they are not completely secure. Immediately after you start using them, there are many weaknesses that the owner-administrator works to fix.
A similar degree of vulnerability in the plugins installed in the CMS, both third-party and official. The most popular of them, such as Yoast SEO or WooCommerce, can be easily hacked via XSS, while the authorization plugin is not protected against SQL injection.
SESSION MANAGEMENT
In session management, the application identifies the user based on various requests. If the user attempts to log in, it assists him in interacting with the application without the need to log in again.
Hackers attempt to break into session management so that there is an option to bypass authentication. When they succeed in doing so, they soon hack into the whole
web application in its entirety.
ATTACKS AND WAYS TO HACK APPLICATIONS
In previous years, protection of web applications came in the form of setting up the server, cleaning the site from foreign files and parts of the code. Back then there were fewer weaknesses, applications had a simple structure, and users acted predictably. As time passed, protecting applications became more and more difficult as the server infrastructure evolved rapidly. The code became more complex and voluminous, which increased the attack surface.
To do this, a variety of methods were used in all sorts of directions. Below we will pay attention to the main types of attacks and hacking methods used by black hackers in fraudulent schemes and by white criminals at the time of testing the degree of security of web applications.
BRUTE FORCE METHOD
In other words, this method is called "brute force". It is used to break into applications that have a critical class in order to hijack API calls and determine authorization code, leaving no trace of the crime. Interestingly, the code retains its original form afterwards. The attack also involves modifying the mapping so that an alternate API call is formed, which will save bank card data on a different server, collect information about the user, and become set up to perform malicious actions.
USE OF SQL INJECTIONS
This variant of hacking web applications is common. They mainly use structured query language or SQL to interact with the database, which ensures the creation and modification of records in it.
By performing SQL injections, attackers are able to hack the internal components of a web application, which are made up of SQL queries by entering information from the user into the web application. Acting in this way, hackers can get information and use it for their own purposes. In addition, they are able to make a modification of the query and implement the functioning of the administration of the database.
In an SQL injection attack, SQL code is placed in a web form, forcing the application to apply it, resulting in fraudsters being able to manage limited sections of the site. Other attacks can be used to remove or add information by manipulating the database.
SCRIPTING BETWEEN SITES
Cross-site scripting or XSS is used by hackers everywhere in order to break into websites, which has become a very serious threat to their owners. Now only the largest sites, such as Google and Microsoft, are able to successfully repel criminal infiltration.
Hackers use damaging JavaScript scripts at the time of an XSS attack, which are embedded in the links they distribute. If the user decides to click the link, it allows them to steal their own data, hijack the web session and account management, and change the advertisements on the page.
To protect themselves from such attacks, site owners are advised to filter the data entered by customers to remove malicious code in a timely manner.
DOS/DDOS ATTACKS
This type of attack is carried out in order to load the site with a solid amount of traffic, which comes in the form of requests, causing the servers to stop functioning normally. Basically, DDoS attacks are carried out from PCs compromised by malware. At the same time, the people who own these PCs may not be aware of what is happening.
FORGING REQUESTS BETWEEN SITES
This method of attack is called CSRF, and it transmits commands that are not authorized by the web application's client. Hackers have many options at their disposal to transmit fake commands, image tags, hidden forms and AJAX. The user is not informed that the command was sent and the site is assured that the command was sent by an authenticated user.
SUBSTITUTE DNS
This hacking technique injects corrupted domain system information into the DNS resolver cache in order to send traffic from the page to another location. Criminals use it to send traffic from sites they are confident about to malware-driven webs.
CLIENT CONTROL
This type of application hacking is considered very popular among hackers who manipulate data that is transmitted through the user. First, user controls are hacked, and then customer information is collected. Everything the scammers need is taken from the web application, where the hidden data is stored.
WHO TESTS AND PROTECTS APPLICATIONS
To create a quality application, you need to ask for help:
- Designers;
- layout people;
- to frontend and backend developers.
All of these people must have solid experience in developing and designing applications of varying complexity.
In addition, the developed application should be checked for bugs and fix them. This will require the services of testers, QC and QA. A team of these professionals will check the functionality and fidelity of the application scenarios.
It is important to understand that code researchers almost never identify vulnerabilities. This is the prerogative of other staff members, so you will need to contact information security professionals who will have expertise in attack and protection and can test the application for the possibility of penetrating its structure.
If this is not done, your application will remain unprotected and cybercriminals will take advantage of this omission, even when the developers and tattooers have done a quality job. You should always contact the people involved in information security when a stable version is released. This will avoid the emergence of weaknesses in the program. In addition, the specialists of our company will be able to develop terms of reference for their colleagues from the IS.
PENTEST SERVICES
Protecting a web or mobile application from possible hacking is paramount once the product has been released. This point should be taken as responsibly as possible even when there is a beta version of the product, because it can affect your reputation. It is enough to imagine a situation where a criminal steals your money through your bank accounts. It is unlikely that such an app would be a success.
The price of pentest is from 350 thousand rubles, which is much less than the losses that any company may face as a result of hacking and subsequent lawsuits from users.
It is better to protect your application from possible hacking and your company from losing its reputation. If you use the services of our company, which has been searching for vulnerabilities for nine years, these problems can be avoided.
PENETRATION TESTING
This process, also called pentest, is very complex, but it is a must in order to make the application secure. It simulates an attack on its components, which reveals weaknesses that could be targeted by real hackers.
Manual testing involves trying to hack any number of application components to identify weaknesses. For example, APIs, internal or external servers can be used as objects.
Once a web application has been tested for penetration, the results are used to fine-tune security. They will also be used to remediate the detected vulnerabilities.
WHAT IS INCLUDED IN THE SERVICE
Employees of our IS company will test the security of web and mobile applications, which will consist of five phases.
Planning and Exploration
At the initial stage, the amount of work and the feasibility of testing are identified, as well as the systems used. The testing method by which it is supposed to be performed is determined. In addition, technical data is collected, which is required to understand where possible vulnerabilities may occur.
Dynamic and static analysis
The types of analysis presented show how the application will react to an intrusion attempt. The first step is the static phase, during which the application code is checked in order to evaluate its behavior during operation. The whole code is scanned in a single pass. Then comes the dynamic part of the analysis, when the code is checked while it is already in working mode.
Obtaining access rights
To identify possible weaknesses in an application, pentestors themselves resort to attacks such as XSS, backdoors, and SQL injection. Specialists find vulnerabilities by artificially orchestrating data loss, traffic interception, and so on, which reveals the extent of damage caused by real attacks.
Access Support
The goal in this case is to see if the vulnerability can be permanently present in the system in use. The idea is to have a constant simulation of regular advanced threats, which remain on the system for months, when hackers can steal sensitive data.
Report on the results
The final report shows:
- vulnerabilities discovered and exploited;
- the information that was accessed;
- the amount of time for which the pentester's actions went undetected.
COST OF PENTEST AND PROTECTION SERVICES
IT SERVICES | CONTACT |
---|---|
Penetration testing and application protection | from 1000 rubles/hour |
* The indicated prices are not a public offer and are subject to change. The cost is measured based on the time spent and the functionality that is required to be implemented in the system, on average, our work costs the customer from 1000 rubles/hour.
What do our clients think of our work?
The reviews were published with the permission of the customers according to p.c. of the site
Advantages of our company
We thoroughly study the problems, consider them from all sides and quickly collect the necessary information. Then we discuss the specifics of each problem with clients and together with them make a work plan, taking into account all the wishes of customers.
There are more than 20 specialists in our team. Most of the team members have higher technical education and have been working in IT for more than three years. And we'll always answer if you have questions or need help.
We help to solve any problem related to IT: we develop programs and applications, issue tokens and develop blockchain networks. Our clients are companies, offices, small and medium-sized businesses, and financial organizations.
We develop programs in popular programming languages: Python, C++, JavaScript. That's why we can create universal solutions for any of your tasks: whether it's a program for the office, a database, an application or a blockchain network.
We are engaged in comprehensive support of ready-made products. We can extend the functionality of ready-made programs and applications, if necessary. We can also help if you need to add something to your ready-made program.
After developing a program or creating a blockchain network, we help you understand how to effectively manage the product. We support customers and help them achieve their goals with our applications.
We take a professional approach to problem solving. We create tokens and help clients bring them to market, help you create your own blockchain for your tokens. We can help if you need to configure the management of tokens you already have.
We turn any of your IT ideas into a finished working project. We have released a large number of programs and applications, provided support to a wide variety of clients and earned their trust. They turn to us for problem solving.
We develop our own blockchain networks for companies. Our programmers have excellent knowledge of Python, C++, JavaScript and can work with any storage systems. We can create a secure network or application to store any data.
We thoroughly study the problems, consider them from all sides and quickly collect the necessary information. Then we discuss the specifics of each problem with our clients, taking into account all the wishes of customers.
There are more than 20 specialists in our team. Most of the team members have higher technical education and have been working in IT for more than three years. And we'll always answer if you have questions or need help.
We develop programs in popular programming languages: Python, C++, JavaScript. That's why we can create universal solutions for any of your tasks: whether it's a program for the office, a database, an application or a blockchain network.
We help to solve any problem related to IT: we develop programs and applications, issue tokens and develop blockchain networks. Our clients are companies, offices, small and medium-sized businesses, and financial organizations.
We are engaged in comprehensive support of ready-made products. We can extend the functionality of ready-made programs and applications, if necessary. We can also help if you need to add something to your ready-made program.
After developing a program or creating a blockchain network, we help you understand how to effectively manage the product. We support customers and help them achieve their goals with our applications.
We develop our own blockchain networks for companies. Our programmers have excellent knowledge of Python, C++, JavaScript and can work with any storage systems. We can create a secure network or storage application.
We turn any of your IT ideas into a finished working project. We have released a large number of programs and applications, provided support to a wide variety of clients and earned their trust. They turn to us for problem solving.
We thoroughly study the problems, consider them from all sides and quickly collect the necessary information. Then we discuss the specifics of each problem with clients and together with them make a work plan, taking into account all the wishes of customers.
There are more than 20 specialists in our team. Most of the team members have higher technical education and have been working in IT for more than three years. And we'll always answer if you have questions or need help.
We help to solve any problem related to IT: we develop programs and applications, issue tokens and develop blockchain networks. Our clients are companies, offices, small and medium-sized businesses, and financial organizations.
After developing a program or creating a blockchain network, we help you understand how to effectively manage the product. We support customers and help them achieve their goals with our applications.
We develop programs in popular programming languages: Python, C++, JavaScript. That's why we can create universal solutions for any of your tasks: whether it's a program for the office, a database, an application or a blockchain network.
We take a professional approach to problem solving. We create tokens and help clients bring them to market, help you create your own blockchain for your tokens. We can help if you need to configure the management of tokens you already have.
We are engaged in comprehensive support of ready-made products. We can extend the functionality of ready-made programs and applications, if necessary. We can also help if you need to add something to your ready-made program.
We develop our own blockchain networks for companies. Our programmers have excellent knowledge of Python, C++, JavaScript and can work with any storage systems. We can create a secure network or application to store any data.
We turn any of your IT ideas into a finished working project. We have released a large number of programs and applications, provided support to a wide variety of clients and earned their trust. They turn to us for problem solving.