The state of mobile app security is weak AF; a large majority of Android and iOS apps lack even the most basic security protections and can be compromised with very little time and effort. At my company, our white-hat security team routinely tests a wide variety of Android and iOS apps across all industries and segments. A vast majority of them can be cracked in 15 minutes or less using free tools and ‘white-box’ pen-testing methods. In general, here’s what we find for most mobile apps:
1.Lack of App Shielding Tamper Protection
The very first layer of defense in any mobile app security strategy should consist of hardening or “shielding” the app by implementing basic runtime application self-protection (RASP) measures like anti-tampering, anti-debugging, anti-reversing, and jailbreak/rooting prevention. For example, many apps we come across either don’t implement tamper prevention or use a 3rd party open source library implemented in largely un-obfuscated code. That kind of solution is easily bypassed.
2. Lack of Obfuscation
Code obfuscation makes it difficult for attackers to understand an app’s source code and control flows. Without obfuscation, mobile app binaries (.apks and .ipas) be disassembled and/or decompiled very easily using a wide variety of free tools. And using dynamic instrumentation tools like Frida, attackers can hook into applications and inject code dynamically.
3. Weak or Insufficient Encryption
Most apps don’t encrypt data stored in the app, in strings, preferences or resource folders, which leaves sensitive mobile user data in the clear.
There’s a Better Way to Secure Mobile Apps
Closing such large security gaps requires a multilayered app defense made up of complementary and self-reinforcing features that protect apps against tampering, reversing, rooting/jailbreaking, mobile fraud, and also that encrypt all sensitive data in all states (at rest, in transit, and in use).
Bottom line, the only way to do that is to automate mobile app security. And only then can you REALLY make security an integral part of the app lifecycle. That’s what true DevSecOps is. And until you do that, the “Sec” in DevSecOps is just a pipedream on a marketing slide. That’s right, I said it.
If you want to SEE how to secure any iOS or Android app in a few minutes, with no-code or coding, drop me a line at firstname.lastname@example.org and I’ll show you personally.