| 5 min read
Allow us to start this blog post with a simple petition. Imagine you bought some stuff, including a box of donuts, and brought them for a retreat in your country house. You hurry to store most of the stuff, as you must take off asap to pick up some of your guests. Since there is no space left in the fridge, and you have no time to go and look for the zip bags in your car, you decide to place the box of donuts inside a plain plastic bag and leave them on the kitchen counter. "That should do," you think. Hours later, you're back with your guests and, as you look in the kitchen for something to offer them, you see a signal. An ant, several, lots. They are all surrounding the bag with the donuts. Had you inspected the bag beforehand, You could have seen a little hole.
"I would have used two bags to protect them better!" a reader might argue. Possibly. But, as anyone who's had an ant problem in their kitchen would attest to, ants always find their way to where they're not wanted, if given enough time. Let's get some things clear, though. We're not supposing that the zip bag is infallible. There might be other antagonists at your country house with more strength to power through piercing the different layers securing the donuts. Our point is that combining these solutions might have resulted in a more successful prevention than what we saw in this hypothetical.
Doesn't all of the above remind us of the posture that some have adopted towards cybersecurity? Adding layer upon layer –each imperfect– as defense, without turning to the most appropriate solution, and rather confident that that should be enough. Is this the case with you and your team?
Security through obscurity
Within the sheer amount of offers in the cybersecurity market, there are solutions that integrate controls to protect apps as the latter run. This is the case of a category that Gartner calls "in-app protection."
In-app protection is the type of solution that introduces functions in its clients' software products to make them more resistant to cyberattacks. Some of those defenses, offered directly or from third parties, are the following:
-
Runtime application self-protection (RASP): It is a function that monitors the app (e.g., its inputs and outputs) and notifies the user or closes the app if it finds an insecure pattern.
-
Man-in-the-middle (MITM) attacks prevention: It is a set of functions like detection of malicious proxies, certificate pinning (see below), URL allowlisting/whitelisting, etc., that work to prevent hackers from intercepting communications between two parties.
-
Detection of jailbroken or rooted devices: It is a function that notifies or prevents the execution of the app in devices where there's access to the root user.
-
Secure certificate pinning: This is a function that forces the use of matching SSL for communications between the app and a server. This is to avoid hackers detour communications to a malicious server with fake certificates.
-
Code obfuscation: It is a function that makes source code hard for a hacker to interpret or for an static code analysis (SAST) tool to scan in search of vulnerabilities.
-
Anti-reverse engineering techniques: It is a function to block the tools hackers use for identifying software components, functions and relationships, and ultimately, the product's business logic, without initial access to source code.
The above are additional security measures for apps. They are recommended by some, e.g., the OWASP Mobile App Security (MAS) project, for apps whose owners are organizations with an urgent need to safeguard their assets and business logic. However some solutions in the market promise to alleviate the dev team's workload, to enable speedy deployments into production, and, something quite attractive, to protect apps with no need to write code. Such offerings may be interpreted by clients as enough measures to keep apps secure, as if that was a way to remediate their vulnerabilities.
We need you and your team to learn and understand this mantra: "Enabling security controls is not remediating". Precisely, the security features we mentioned in the previous lines are defenses that help increase the complexity to exploit a vulnerability or understand the code. Remediation, on the other hand, is the elimination of a characteristic of a software product's security posture, configuration or design that renders it open to exploitation.
Maybe some of the teams that delegate security wholly to in-app protection don't need the above explanation. They are satisfied with the armor they procured for their apps and don't see remediation as necessary, while perceiving it as extremely expensive. But hiding software vulnerabilities behind layers of defenses without any intention to fix them is an unfortunate decision.
You are just buying time
Fluid Attacks' hacking team has experience bypassing controls including the ones mentioned in this post. That is not necessarily due to RASP misconfigurations, or insufficient obfuscation, but rather to hackers being able to always bypass these controls, if given enough time. Behind these controls hackers find back-ends with vulnerabilities ready to be exploited. Another possibility is they can obtain previous software versions with no in-app protection and launch their attacks against them.
Excessive confidence in security controls may eventually allow for security breaches which can mean losses of information, money and reputation.
Don't comply only with resilient security
We stress on this: In-app protection defenses are additional measures. They do not replace security requirements your app's source code and configurations need to comply with. That's the same OWASP MAS says. The latter project recognizes the importance of security controls as resilient security and calls them an extra layer that reinforces the other two: an essential security layer and an advanced security layer.
Essential security requires your mobile app to use preexisting, tested and secure cryptographic mechanisms, protect network traffic, use inter-process communication mechanisms securely, have no vulnerable third-party dependencies, among other requirements. All this must be verified continuously and fixed when an issue of noncompliance is detected. It matters not how good you think your resilient security is. We list the risks to mobile apps elsewhere along with the role that security testing plays in identifying them.
Regarding advanced security, compliance with the corresponding set of requirements are strongly advised if your app handles high-risk sensitive data. Some security measures in this layer include usage of secure authentication mechanisms, identity pinning, and secure update mechanisms.
Remediating is safer and faster each time
We have defined what you should recognize as additional and what is essential. We know that it's the security of your app's code and configurations what ultimately stands between a malicious threat actor and the integrity, confidentiality and availability of your business' and your end users' information. Undoubtedly, an important chunk of your team's efforts needs to focus on identifying and fixing security flaws while resilient security measures buy you some time.
Not only is it safer to remediate vulnerabilities, but it is a task that tends to gain velocity. When your development team takes responsibility for the app's security they can acquire knowledge about vulnerabilities and, through timely feedback, they can learn to write secure code. This translates into fewer instances of at least one type of vulnerability and less rework and time to remediate. In fact, our latest report, State of Attacks 2023, we found that, if a team breaks the build, preventing vulnerable code from being deployed into production, they take less time to remediate detected vulnerabilities than when they do not break the build.
Fluid Attacks tests your app's security thoroughly and helps fix flaws
As mentioned, Fluid Attacks has a hacking team. It's a highly qualified team that evaluates the security of software products continuously alongside AppSec testing tools developed by Fluid Attacks. Such a combination results in speed and precision. Thanks to Fluid Attacks, you can learn about vulnerabilities in your essential, advanced and resilient security, as well as obtain remediation recommendations from an expert team.
Find vulnerabilities in your app before a cybercriminal does. Contact us.
Recommended blog posts
You might be interested in the following related posts.
