Mobile app protection

We are working to collect statistics on incidents in areas in which we are well versed. Problems occurring on crypto exchanges and services should be monitored because their main component is web applications. Most cyberattacks occur through these systems.

When you've developed an app, or implemented a tokenization system in the underlying app, know that when you announce the innovation, not only the target audience will know about it, but also the fraudsters. And if you don't have time to test the release for vulnerabilities, criminals are already on target to commit wrongdoing.

Hackers are still attacking banking systems, despite the fact that they are more secure than fintech companies. In 2020, the number of successful hacks on the Asian continent increased. Based on bank card data, the following amounts were stolen from banks in various states:

- India - 462000;
- South Korea - 397,000;
- Malaysia, Singapore, and the Philippines - 235,000.

Cash is also stolen from financial institutions, but these cases are carefully concealed, in order to preserve the existing reputation, otherwise clients will start to leave in droves. If any information reaches the press, it is minimal, and the amount stolen is not specified. This is followed by assurances to clients that their funds are safe. After that, the public stops worrying, realizing that the banks are insured.

Owners of companies that do not work in fintech may think that the risks are negligible because their business does not involve the storage and transfer of funds. But this opinion is wrong, because cybercriminals are attracted to anything that is not secure, but can be sold at a profit. First of all, your competitors will want to become the owners of personal data and confidential information. They can buy a stolen database relatively cheaply on the darknet, and then proceed to process the data of thousands of customers. Each compromised account, according to a report by IBM Security, causes a loss of 152 $. Researchers conducted a survey of companies already affected by such actions. It showed that 25600 accounts were hacked and financial losses amounted to 3.9 billion. $.

If the theft or leak does occur, you should be prepared to face fines and lawsuits for violating data protection laws. Most jurisdictions have rules that describe possible data problems. Therefore, regulators require data breaching companies to inform them and their own customers, compensate them for damages and pay penalties.
Since late spring 2018, the EU has adopted the General Data Protection Regulation, under which there are two types of fines based on how serious the breach has become:

1. Petty. Penalty up to 10 million euros or 2% of the turnover for the year;
2. Large. Penalty up to 20 million euro or 4% of the turnover for the year.

In our country, these penalties are much milder. They are regulated by Law No. 152-FZ "On Personal Data". In the event of a violation, an administrative penalty of 75,000 rubles will have to be paid. This responsibility was tightened in July 2017 and is monitored by Roskomnadzor.

Alas, even these fines do not lead companies to focus their efforts on information security. The dynamics of compromised records grows at a gigantic rate year after year, and so far there is no reversal of the trend.

The lack of protection for this code will allow hackers to revert it back to its original form, which should not be allowed. Your application, like Fort Knox, must be impregnable. If the binary code is left unprotected, criminals will gain access to valuable data inside, such as the storage plan and security controls.

Fraudsters can also leave a mobile app under their control and download a version of it to stores, which will contain malicious code and the name of the product will be the same as the official one.

When user data is stored in an unsecured location, such as Plist files, someone will definitely be able to access it illegally. Accounts and other information should preferably be stored in iCloud Keychain or KeyStore on Android. Information stored locally must be encrypted.

Libraries containing open source code
This component should be regularly updated to avoid security problems. Caution should be exercised, however, because they are considered a vulnerability, which cybercriminals are well aware of, as they introduce malicious code into them. It is not possible to realize that such a library is infected until the automated build processes, which have been configured to apply the latest version, enable it.

No two-factor authentication
If there is no 2FA, it will be dangerous to use such a mobile application, so you should keep this protection in mind. When two-factor authentication is activated, it can prevent hackers who are able to guess an ordinary password for a user's account. One-time passwords will keep the application safe and make sure that the account stays safe and sound.

According to a study of the most popular web applications, which was conducted in late winter 2020, it was found that 90% applications allow people to attack using them, 39% sites allow illegal access to the application, and 68% applications can provide your data to fraudsters. Let's focus on the most common web application vulnerabilities that should be avoided.

In session management, the application identifies the user based on various requests. If the user attempts to log in, it assists him in interacting with the application without the need to log in again.

Hackers attempt to break into session management so that there is an option to bypass authentication. When they succeed in doing so, they soon hack into the whole
web application in its entirety.

In previous years, protection of web applications came in the form of setting up the server, cleaning the site from foreign files and parts of the code. Back then there were fewer weaknesses, applications had a simple structure, and users acted predictably. As time passed, protecting applications became more and more difficult as the server infrastructure evolved rapidly. The code became more complex and voluminous, which increased the attack surface.

To do this, a variety of methods were used in all sorts of directions. Below we will pay attention to the main types of attacks and hacking methods used by black hackers in fraudulent schemes and by white criminals at the time of testing the degree of security of web applications.

In other words, this method is called "brute force". It is used to break into applications that have a critical class in order to hijack API calls and determine authorization code, leaving no trace of the crime. Interestingly, the code retains its original form afterwards. The attack also involves modifying the mapping so that an alternate API call is formed, which will save bank card data on a different server, collect information about the user, and become set up to perform malicious actions.

Cross-site scripting or XSS is used by hackers everywhere in order to break into websites, which has become a very serious threat to their owners. Now only the largest sites, such as Google and Microsoft, are able to successfully repel criminal infiltration.

Hackers use damaging JavaScript scripts at the time of an XSS attack, which are embedded in the links they distribute. If the user decides to click the link, it allows them to steal their own data, hijack the web session and account management, and change the advertisements on the page.

To protect themselves from such attacks, site owners are advised to filter the data entered by customers to remove malicious code in a timely manner.

This type of attack is carried out in order to load the site with a solid amount of traffic, which comes in the form of requests, causing the servers to stop functioning normally. Basically, DDoS attacks are carried out from PCs compromised by malware. At the same time, the people who own these PCs may not be aware of what is happening.

This method of attack is called CSRF, and it transmits commands that are not authorized by the web application's client. Hackers have many options at their disposal to transmit fake commands, image tags, hidden forms and AJAX. The user is not informed that the command was sent and the site is assured that the command was sent by an authenticated user.

This hacking technique injects corrupted domain system information into the DNS resolver cache in order to send traffic from the page to another location. Criminals use it to send traffic from sites they are confident about to malware-driven webs.

To create a quality application, you need to ask for help:

- Designers;
- layout people;
- to frontend and backend developers.

All of these people must have solid experience in developing and designing applications of varying complexity.

In addition, the developed application should be checked for bugs and fix them. This will require the services of testers, QC and QA. A team of these professionals will check the functionality and fidelity of the application scenarios.

It is important to understand that code researchers almost never identify vulnerabilities. This is the prerogative of other staff members, so you will need to contact information security professionals who will have expertise in attack and protection and can test the application for the possibility of penetrating its structure.

If this is not done, your application will remain unprotected and cybercriminals will take advantage of this omission, even when the developers and tattooers have done a quality job. You should always contact the people involved in information security when a stable version is released. This will avoid the emergence of weaknesses in the program. In addition, the specialists of our company will be able to develop terms of reference for their colleagues from the IS.

This process, also called pentest, is very complex, but it is a must in order to make the application secure. It simulates an attack on its components, which reveals weaknesses that could be targeted by real hackers.

Manual testing involves trying to hack any number of application components to identify weaknesses. For example, APIs, internal or external servers can be used as objects.

Once a web application has been tested for penetration, the results are used to fine-tune security. They will also be used to remediate the detected vulnerabilities.

Employees of our IS company will test the security of web and mobile applications, which will consist of five phases.

Planning and Exploration

At the initial stage, the amount of work and the feasibility of testing are identified, as well as the systems used. The testing method by which it is supposed to be performed is determined. In addition, technical data is collected, which is required to understand where possible vulnerabilities may occur.

Dynamic and static analysis

The types of analysis presented show how the application will react to an intrusion attempt. The first step is the static phase, during which the application code is checked in order to evaluate its behavior during operation. The whole code is scanned in a single pass. Then comes the dynamic part of the analysis, when the code is checked while it is already in working mode.

Obtaining access rights

To identify possible weaknesses in an application, pentestors themselves resort to attacks such as XSS, backdoors, and SQL injection. Specialists find vulnerabilities by artificially orchestrating data loss, traffic interception, and so on, which reveals the extent of damage caused by real attacks.

Access Support

The goal in this case is to see if the vulnerability can be permanently present in the system in use. The idea is to have a constant simulation of regular advanced threats, which remain on the system for months, when hackers can steal sensitive data.

Report on the results

The final report shows:

- vulnerabilities discovered and exploited;
- the information that was accessed;
- the amount of time for which the pentester's actions went undetected.