Are Apps Safe Digital Security and the b2c App

Are apps safe? Digital security andthe B2C app

Aaron Watkins

This report underwitten by: Moki

a mobile report

Are apps safe? Digital security and the B2Capp07/31/2014

TABLE OF CONTENTS

1. EXECUTIVE SUMMARY

2. INTRODUCTION

3. SECURITY FLAWS IN THE MOBILE ECOSYSTEM

4. SOLUTIONS

5. KEY TAKEAWAYS

6. ABOUT AARON WATKINS

7. ABOUT GIGAOM RESEARCH

8. COPYRIGHT

Are apps safe? Digital security and the B2C appThis PDF prepared for: dhop__ ([email protected])

2

Mobile apps are collecting and utilizing personal private data at a rapid pace. Theprevalence of these apps in the B2C space puts these data gathering devices in theuncontrolled and unpredictable hands of consumers on a massive scale. Because of that,questions remain as to whether or not security best practices are sufficient to preventbreaches. If not, other measures must be considered to ensure customers are safe whenusing apps from their favorite businesses.

These are questions that have to be asked not only by IT personnel developing these appsbut at every stage along the app creation and utilization timeline. App developers, mobilesecurity experts, government regulators, and the creators of industry guidelines mustunderstand the app types that create the most risk, how internal and external factorscontribute to those risks, and what is currently being done to mitigate these issues.Clearly more work is needed in this space.

Key findings include:

Mobile applications are proving to be vulnerable, and there is no foolproof way toprotect an app once it has been distributed to the general population. Care needs to betaken to monitor and protect the application as it operates in real-time.

App store monitoring and pre-distribution security evaluation can only affect an appif the app had not been compromised in the field.

Increased industry standards and training on secure app design, data storage, andsecurity testing are necessary to ensure consumer safety.

App development frameworks need to be in place to provide both app-side and cloud-based monitoring of app activity.

A full stack of security tools also involves the need for server-side tools that canmonitor incoming data requests for potential malicious activity from compromised orspoofed clients.


3

Introduction

Mobile applications continue to transform the industry in ways that seemed far-fetchedjust a few years ago. They can book travel, unlock a car, or split a check at dinner, butthat convenience comes at a cost. Given the patchwork of networks and the variety ofdevices involved in the mobile ecosystem, security is more important than ever. Whenyour phone can access and transmit highly personal data, how do we keep that data awayfrom prying eyes without limiting our ability to make the best use of it.

Some types of mobile apps tend to use more personal data than others. While there ishigh awareness about the need for security in banking and finance apps, a number ofother apps present data transfer security risks as well. In the shopping space, we see thefrequent transmission of personal, generally location-based data alongside purchasehistory and credit card information. Medical apps contain and transmit your medicalhistory but may also communicate with other sensors to retrieve information such asheart rate, location, or even whether the user is awake or asleep. Travel apps know whenusers plan to be out of the house, and even social sharing apps can transmit location datawith family photos. The misuse or compromise of any of these applications could easilyconstitute a breach of privacy, with consequences for both users and the app developer.

The following are some particularly sensitive categories of apps along with the commonrisks associated with them.

Financial apps

Banking and other financial apps manage some of the most highly sensitive informationof any consumer apps, and their popularity continues to grow. Mobile banking reachednearly 50-percent penetration on smartphones as early as 2012, and in addition totraditional finance management apps, the mobile wallet is beginning to gain steam.

Consumers expect banking apps to have the highest level of security of any apps, and thathas generally held true, but is it enough? In 2010, mobile security firm viaForensicstested seven different mobile banking apps, including Bank of America, Wells Fargo, andUSAA and found all but one of them failed basic security tests. Often these apps werestoring sensitive data directly in the memory of the phone in a way that could be easilyaccessed by hackers. Even when these flaws are detected, the process of updating an app,submitting it to app stores, and getting an updated version installed on consumersdevices can take weeks.

In August 2013, the Trend Micro Security Intelligence Blog reported discovering hackedversions of the NH Nonghyup Banks app on third-party app stores (Android app storesAre apps safe? Digital security and the B2C appThis PDF prepared for: dhop__ ([email protected])

4

other than Google Play). These apps took advantage of a flaw in the Android operatingsystem, allowing hackers to load updates to legitimate apps that contain malicious codeor Trojan systems. These malware versions of the apps looked just like the originalapps and bypassed the app signing process designed to protect code from being changedby anyone but the developer. Because this happened on third-party app stores through nofault of the developers code, many third-party tools designed to check application codefor security holes were completely useless.

Retail apps

Retail apps provide a wide range of opportunity for malicious hackers. Credit cardinformation, purchase history, location data, and more are commonly available to retailapps, and the scale of B2C commerce makes them ideal targets.

The most prominent retail mobile payment system in the app space remains the Starbucksapp, which in 2014 reported more than 10 million users accounting for more than 11percent of all Starbucks retail transactions. The app processes credit card informationused for reloading the users Starbucks card, location data to allow a user to find theclosest store, and login information, including email and password. These numbers,released in March, came only two months after Computerworld reported a massivesecurity flaw discovered by Daniel Wood, a vulnerabilities management specialist atBridgewater Associates in New York City. The flaw, which has since been fixed, storedthe usernames, passwords, email addresses, and a significant amount of historicallocation data in clear text that could be easily accessed by anyone in possession of thephone; no major hacking skills or even jailbreaking of the device were needed.

Medical, health care, and fitness apps

While not yet as prominent a category of apps (medical apps and health care and fitnessapps combined compromise less than 5 percent of all iOS apps in the iTunes apps store),mobile health care is predicted to reach half a billion users by 2015. In a field that istypically highly regulated by such laws as the Health Insurance Portability andAccountability Act (HIPAA), there is a noticeable gap in regulation and security in themedical, health care, and fitness app space. According to a report released in 2013 by theIndiana Health Law Review journal, Current FDA regulations for medical devices lackclarity regarding this new (app) technology. Due to the lack of clarity, the FDA must lookto improve the regulatory structure to maintain a balance between product safety andinnovation for mobile health applications. The increasing regularity of mobile device andmobile application use throughout society demonstrates the pressing importance of thisissue. Whats more, the data contained in these apps can be more personal than thatfound in most other categories.


5

With the prominence of connected devices such as the Fitbit and the Jawbone UPin the consumer space, there is an upward trend of users collecting and storing personalinformation on their mobile phones. This includes not only geographic location, such aswhere you spend most of your time or your typical running routes, but also when youtend to be asleep. There are apps that keep track of various medical symptoms and reportthem back to your physician, apps that give you direct access to counselors andpsychiatrists, and even apps that are designed to record an entire doctors visit and sendyou the recording after the appointment.

In response to these health-related apps, the FDA issued guidance regarding whethervarious types of mobile apps would come under FDA regulation. The FDA provided alist of apps considered regulated medical devices, a list of apps that were considered non-medical devices and were thus not regulated, and a third category of mobile apps forwhich the FDA will exercise enforcement discretion, essentially a to be determinedlist of apps that manage, store, and send private, personal data.

The risks are not simply theoretical. A few months ago, Computerworld discovered thatthe Walgreens Pill Reminder feature in their app was storing photos users took of theirprescriptions along with those users full names and user IDs. Photos were accessible toanyone, and the user names was encoded in an easy-to-break Base64 format. WhileWalgreens updated the app in late March of this year after the flaw was pointed out,consumers were never made generally aware of the problem, and the iOS release notessay the update was simply bug fixes.


6

Security flaws in the mobile ecosystem

These are only a few examples of high-profile security issues that have plagued themobile space. With around 1.2 million apps on each of the top app stores and the easewith which any everyday programmer can publish an app, there are bound to be issues.The general issues surrounding mobile security can be broken down into three maincategories:

1. Issues with user behavior

2. Issues with developers/code issues

3. Issues with the mobile environment

Issues with user behavior

While enterprise mobile apps have at the most a few thousand end users, successful B2Capps are dealing with millions. Target Corp.s flagship app has an estimated 5M to 10Mdownloads according to Luth Research. Each of these users presents a unique potentialsecurity risk due to unsafe behavior. Jailbroken phones, poor passwords, and lost orstolen devices the kind of concerns typically commanding attention in enterprises all open up a degree of risk not only to the user but also to the provider of the originalapp.

Bots

Bots are code-created users that are designed to look like actual users, typically withmalicious intent. These can live on user devices and are often received through hackedapps typically found on jailbroken devices. Once activated, bots can access the phone orits apps without the user knowing, often with negative (and sometimes costly)consequences. Bots have been known to post social media messages on their own, sendtext messages that could misrepresent a user or add charges, or log keystrokes tocompromise personally identifiable information.

Detecting bots is difficult. On the server side, a malicious bot attack looks very much likea call from an authorized user of the app.

Passwords

Consumers are notoriously bad at password creation. SplashData reports that the mostcommon passwords of 2013 include 123456, password, qwerty, and abc123.


7

This is not a new phenomenon. For roughly 20 years, the passwords for all 50 of the U.S.Minuteman Nuclear Launch Silos were set to 00000000. It is also common for consumersto use the same password over and over, which means that their password is vulnerableon multiple sites and apps after a data breach, such as the one reported by eBay in May2014, causing the site to ask all 145 million of its users to change their passwords. Whileit may not be a brands fault that a consumer was using the same password for one app asthey did for their bank, the brand will still be the culprit in the users eyes.

Lost or stolen devices

Even when passwords are strong, lost or stolen devices can cause issues when thedeveloper has not implemented proper safe password protocols. As seen in retail andfinancial sector apps, improper storage of sensitive information can create a goldmine ofinformation for someone who knows where to look for it and who has the device in hand.Data stored in clear text can be swiped in minutes or less, and even data that has beenencoded in the device can be easily decoded, given time.

Given the variety of data types that apps typically handle everything from location toyour shopping history there is a wide range of data that the typical user does not wantto get into the wrong hands, and usernames and passwords are among the most important.Hackers that have obtained correct user names and passwords present serious problems.How do app developers determine if the app is being used by a legitimate user or bysomeone with less than honorable intent?

App developers and publishers need tools to continually monitor and protect their appsin real-time, said Tom Karren, CEO and co-founder of Moki. Having visibility into appand user behavior as well as the device environment is key to understanding the risks thatan app faces. Visibility into anomalous behavior and risky environmental conditions isthe precursor to protecting sensitive data and services.

Active monitoring for enterprise app systems is necessary to protect against these typesof breaches. Traffic patterns must be analyzed against typical user behavior in order to beable to send up a flag when something seems out of place. Is the connection to the appcoming from somewhere unusual? Somewhere that you do not do business? Has the usepattern of the app changed dramatically in terms of how frequently it is connecting andthe type of information it is sending and receiving? Are the networks that the device isconnecting on secure?

Issues with developers/code

The first line of defense against these types of issues lies within the code itself and thepeople who write it. Mobile development particularly large-scale B2C development


8

must view security as an integral part of the app design process, taking a ground-upapproach to a security-first design. For this to happen, mobile developers need to beeducated in best-practice security standards and the use of security testing tools.However, these tools are not perfect, and businesses should continue to employ othermeans of exposing weaknesses, including automated and manual penetration testing.

At times, even bringing these issues to the developers is not enough to solve the problemdue to a lack of understanding of the issues and how to solve them. In February 2014,mobile security experts made Delta Airlines aware that, while their data was encrypted,they included the decryption key in the apps decompiled source code, which renderedthe apps vulnerable, compromising private data such as frequent flyer numbers,itineraries, and potentially even credit card information. Delta released a patch to the appto fix the problem three days later, but the new app still contained a version of theencryption key in a location that savvy hackers could access.

Who is responsible for teaching and enforcing mobile security best practices? Whenbreaches happen, people are quick to point the finger at developers, but they work withlittle guidance and even less regulation. The Federal Trade Commission (FTC) acts as aconsumer protection agency, but even they cannot keep up with the pace of mobiledevelopment. Their mobile app developers website contains laughably generic tips suchas aim for reasonable data security and consider protecting data you store on a usersdevice.

Issues with the mobile environment

While most of the software that passes through the major original equipmentmanufacturer (OEM) stores such as iTunes or even Google Play is tested for malware(and even their reviews are not quite perfect), there is a prevalence of not-so-reputablethird-party app stores for the Android operating system and a culture of jailbreakingphones on iOS to access unsupported features. Once a device is jailbroken or leaves thesafety of the primary app store, all of the major vendor-provided security processes aresuddenly null and void. While the OEMs can wash their hands of this by citing violationof user agreements, developers must consider the reality of the situation. Their apps willrun on phones that no longer have security guarantees in place, and it may be hard todetect whether an inbound message is coming from a safe version of your app or anunsafe one.

Malware

Third-party downloads are notorious distributors of viruses and malware, including third-party software such as keyloggers that have negative effects on users or their apps. Eventhe Google Play store, while safer than third-party Android stores, has seen huge


9

increases in malware over the past year. According to a study by RiskIQ, the number ofmalware apps detected on the platform jumped 388 percent between 2011 and 2013, andthe amount of malware that gets removed from the store dropped from 60 percent to 23percent in the same timeframe.

Updates

It is not enough to write good code if that code does not make it to the users devices. AsTim Cook gleefully pointed out in the 2014 Apple World Wide Developer Conference(WWDC) keynote speech, it is hard enough to get Android users to update their operatingsystem (with fewer than 10 percent of Android users on the KitKat platform), let aloneget them to update an app to a newer version that happens to have fixed some securityflaws. On iOS, app updates all have to go through Apples often-mysterious approvalprocess, which at times can take weeks, meaning that even when a problem is identifiedand a solution made, the amount of time that problem is out in the wild is not just amatter of days but often a matter of weeks.

Current solutions are not sufficient

Mobile is still in many ways the wild west of the digital space. Most digital securityplatforms focus on online, not mobile security, and much more development and researchhas been done in that space. Even when mobile security is taken into consideration, manydevelopers and solution providers never look past the apps code. Companies like Arxan,Inside Secure, and Moki all provide code analysis in the pre-compile phase and duringruntime, a necessary step in the right direction. The problem is, according to Tom Karrenof Moki in reference to what happens once you put an app out into the wild, The gameplan is great until the ball is kickedthen everything is up in the air. Apps facechallenges that cant be planned for, so security solutions need to adapt and respond inreal-time. Mobile security is not a static problem. Risks can change over time and arenot only code-based.

Some third-party Android apps attempt to solve security issues such as Trojans andmalware, but as a third-party, they rely on users to download and activate a second app,such as an antivirus app, to protect against potential threats. Samsung ships some of theirAndroid devices with anti-virus software already installed, though only a fraction of thesoftwares features are free. The iOS ecosystem has not yet seen the need for systems likethis on the native app platform, and the platform purposefully makes it difficult forrunning apps to affect each other, but all of Apples built-in protections disappear whenthe user jailbreaks their phone. The reality is that large B2C enterprises cannot put theonus of security on the user. Even one unaware users behavior can set off a maelstrom ofnegative PR that will tarnish the trust a brand has built up with its consumer base.


10

Solutions

Better education and awareness

We hope that increased awareness of the problems presented in this paper will encouragedevelopers to reexamine security needs when creating new applications or managingexisting B2C apps. As awareness grows, so does the need for continued education in thespace. Institutions such as Stanford University are leading the charge to make mobilesecurity part of the curriculum in a comprehensive app creation education, and as thesecourses become more prevalent and can take the developer beyond a basic overview ofmobile security needs, the mobile environment will grow less prone to headline-makingsecurity flaws.

Industry standards and regulations

There is a severe lack of overarching industry standards for security in the mobile space.Industry organizations such as the Application Developers Alliance (ADA) a policyand advocacy group for mobile developers seem to express awareness of the issues;however, no one has provided a set of comprehensive, well-accepted security stepsdevelopers follow when creating a mobile app. Because lawmakers do not typically havethe understanding or bandwidth to keep up with the constantly changing mobile space, itis up to the industry to in many ways regulate and guide itself on best practices forconsumer data safety.

Increased use of security tools that are already available

While not 100 percent without issue, the current tool sets for code and runtime analysisare an important step in the right direction for B2C app developers, and skipping this vitalstep is simply asking for a data breach. Development teams also can bring in individualsversed in mobile hacking techniques and ask them to take a shot at bypassing an appssecurity. This human test can often detect problems that automated testing tools aresimply not savvy enough to catch.

New frameworks for secure development

Existing development tools do not appear to provide the full breadth of security servicesnecessary to prevent data breaches. There is a space in the market for new frameworksand security abstraction services that can be made available to developers for use on theirapps. Because every developer cannot be a security expert, this provides vetted solutionsthat can take the onus off the average development team.


11

Live monitoring inside sensitive B2C apps

How a user behaves inside an application can give security systems an early warning intopotential problems. Systems that monitor patterns of user behavior can be engaged toraise a flag when a consumers usage falls outside of those patterns or is activated inunsecure or unusual environments.

Real-time protection

An emerging category of solutions is beginning to provide real-time, ongoing dataanalysis of apps that are already in the wild, paired with the ability to perform remoteactions on a scale as large as an entire user base or as targeted as a single user. This couldinclude features such as two-factor authentication, allowing a system to not only see thatthe proper password is coming from a device but that it is also coming from a knowndevice. When problems arise, the ideal solution set would be able to slow down or evenstop a data transaction from happening and notify the system that there is a potentialproblem.

Passwords cannot be the only level of security between a hacker and sensitive data. Apassword is too easy to obtain through various types of malicious activities, and devicesaccessing that data should be checked against standard behaviors that a user exhibits.Whenever possible, developers should consider additional non-password-based securitymeasures, such as iOSs iTouch fingerprint authentication model, or two-factorauthentication requiring external devices. However it is done, developers need to be ableto prove that a real user and a real device are being used to access sensitive data.


12

Key takeaways

The combination of mobile apps that contain or transmit sensitive personalinformation and the unpredictability, lack of security awareness, and sheer number ofconsumer users of these apps dramatically increase the risk of security breaches.

The current set of mobile security solutions is not keeping pace with the evolution ofthe mobile app industry and does little to address the issues that lay beyond problemsthat are localized in an apps code.

While the major app stores are mostly secure, this does not equate to the security ofapps in the marketplace. Third-party app stores and jailbroken or rooted phones caneasily take these safe apps and hack them into being tools for the unscrupulous.

Effective mobile security requires solutions that sit on the business- or server-side ofthe equation, monitoring information and requests that come in from consumer appsand testing them against security protocols. These must work in real-time to be ableto immediately identify and deal with potential threats.


13

About Aaron Watkins

Aaron Watkins is a mobile industry veteran with more than 10 years of experienceworking on B2C mobile activations, from text message campaigns to mobile apps. He isthe president and co-founder of the first app-specific marketing agency, Appency, guidingmajor brands and app developers in their app strategy and distribution plans. As aGigaom analyst, he wrote one of the original texts on app marketing and has sat as arepresentative on the European Unions Eurapp panel for stimulating Europes presencein the app stores. He is a TEDx speaker on the issue of mobile privacy and has spoken atnumerous conferences on the ever-changing app economy. In addition, Watkins is on theboard of the National Firefighters Endowment and the non-profit group Above the Frayin Sacramento, working toward helping youth avoid the pitfalls of social media abuse.


14

About Gigaom Research

Gigaom Research gives you insider access to expert industry insights on emergingmarkets. Focused on delivering highly relevant and timely research to the people whoneed it most, our analysis, reports, and original research come from the most respectedvoices in the industry. Whether youre beginning to learn about a new market or are anindustry insider, Gigaom Research addresses the need for relevant, illuminating insightsinto the industrys most dynamic markets.

Visit us at: research.gigaom.com.

Giga Omni Media 2014. "Are apps safe? Digital security and the B2C app" is atrademark of Giga Omni Media. For permission to reproduce this report, please [email protected].


15

Are apps safe? Digital security and the B2C appThis report underwitten by: Moki

Are apps safe? Digital security and the B2C appTable of ContentsIntroductionFinancial appsRetail appsMedical, health care, and fitness apps

Security flaws in the mobile ecosystemIssues with user behaviorBotsPasswordsLost or stolen devicesIssues with developers/codeIssues with the mobile environmentMalwareUpdatesCurrent solutions are not sufficient

SolutionsBetter education and awarenessIndustry standards and regulationsIncreased use of security tools that are already availableNew frameworks for secure developmentLive monitoring inside sensitive B2C appsReal-time protection

Key takeawaysAbout Aaron WatkinsAbout Gigaom Research

Documents

Are Apps Safe Digital Security and the b2c App