Developer insight: The mounting security threats facing mobiles and apps

Throughout last year, smartphone and tablet users saw a significant upward trend in the rate at which they faced cybersecurity issues across a wide range of attack vectors. In fact, mobile phishing campaigns soared by 37% in 2020 while Apple and Google brought down thousands of malicious apps hosted on their public stores.

Mobile operating system compromise detections rose steadily and commercial spyware manufacturers also profited from remote work as employees used unmanaged personal devices to access corporate infrastructure.

Nation state actors continued delivering mobile advanced persistent threats (mAPTs) and remote access trojans (RATs) as the international cyber race continued amid a rich backdrop of pandemic alerts, vaccine notifications, election hysteria and the regular supply chain of events.

Today, a whole generation of users exist that have never been exposed to a Windows operating system interface. Almost all of us have become accustomed to new devices with life-changing features on an annual basis. Yet, this puts pressure on mobile vendors to move rapidly and meet expectations in form, feature and function and this forces them to make sacrifices in the security vetting process.

Currently, operating system and application vendors that experience exponential growth face a significant challenge in fixing security issues and vulnerabilities in a timely manner. As a result, most have vulnerability and bug bounty programmes now in place. For example, over 380 vulnerabilities were found in iOS13. Android presented approximately double that number. Because of this, exploit acquisition programmes have emerged, providing ethical hackers a route to earning a living from their discovery of low-level vulnerabilities that could be exploited in the wild.

Zerodium has a well-established exploit acquisition programme, acting as a broker to the bug bounties available, including the majority of messaging app vendors. Thanks to the recent WhatsApp privacy announcement, they are currently in a battle to prove they can offer their users the best encryption and data privacy. The significant bounties offered for the discovery of vulnerabilities in their apps deliver a pipeline of security issues to be fixed directly to the developers. As long as operating system manufacturers and app vendors have a disclosure period before they need to announce an issue, much less issue a patch, threat actors have a significant window of opportunity to exploit those vulnerabilities.

Coupled with unpatched flaws in a version of the iOS and Android operating system, mAPTs and RATs give threat actors the ability to exfiltrate and even command and control device features and functions once their payload is successfully delivered.

Zerodium has built an effective programme that brokers available bug bounty programmes. This delivers a shorter lead time to patching issues and mitigates against the cost of fines related to data breaches, reputational damage and possible legal action.

Although programmes like this ensure vulnerabilities are dealt with, there’s a need for additional mobile security measures where the delta to fix needs to be addressed. Delivering sufficient levels of efficacy in detecting threats across all the attack vectors that lead to compromises of data and privacy on mobile devices is the new endpoint security challenge.

From an app development perspective, in recent years anti-tampering and obfuscation tools have enabled app vendors to make the reverse engineering of their products much harder. However, that does not deal with the external threats that users face when operating publicly available apps in the real world.

Building inside out protection for your app is good, but OS compromise, malware and rogue network detection require ‘outside in’ capabilities via an SDK, to deliver true app security and drive user confidence and adoption, as well as preserving brand reputation.

Without the onus on unique app and product features that drive rapid adoption, users have little or no reason to interrupt their busy schedules to install a system update. Added to that is the potential of losing data as a result of an upgrade and it’s no surprise many users do not even restart their mobile devices for weeks, if not months.

Burak Agca brings more than 20 years of experience in modern endpoint management and cybersecurity. Prior to joining Lookout, he worked at LANDesk (now Ivanti), focused on systems management and at Citrix leading enterprise mobility management opportunities in the UK. In his current role, he is a trusted adviser for mobile security, helping multiple customers with their mobility strategies and is a passionate public speaker at events, conferences and the press.