Your consumer app is not safe!
Why? Because our internet infrastructure is fraying at the edges. What was safe in the 2000s and early 2010s just isn’t working anymore. Consumers have gone mobile with increasingly powerful devices, and companies can now utilize fingerprint readers built right into the consumer’s phone. While these enhancements add significant security, they also consolidate risk. A successful hack to the Android fingerprint reader or TrustZone and 100s of billions of dollars are at risk. Moreover, breaking a high value corporate app leads to financial fraud and the loss of sensitive personal information. Hackers won’t just steal your money… they’ll steal your identity.
Multi-Layer Approach to Defense and Security
Every security tool relies on the trust established by the layers below it. User security is built on the trust of the application. Applications & Connectivity rely on the OS. The OS relies on hardware. To secure a mobile device, you must build security, not just at one layer, but at all layers. This strategy ensures that apps can survive the platform or channel hacks based on zero-day vulnerabilities that may take a while to patch and rollout.
Companies with critical, client-facing applications cannot leave this trust to others. These companies need to be confident in all layers of mobile security and have control at each layer individually. If the base hardware or OS of any iOS or Android device is tampered with, all bets are off. That’s why defense-in-depth is a critical component of mobile security strategy today.
Providing protection for all these layers is often the responsibility of different tools, but individualizing security by layer leaves gaps that hackers take advantage of. For example, applications typically rely on local monitoring to detect low-level data attacks. They miss, however, broken TLS certificates and weakly encrypted data in transit.
BEST PRACTICES ACROSS ALL LAYERS:
1. Ensure Device Integrity: Implement a solution that monitors Rootkit & Jailbreaking attacks. The solutions should also detect network threats and device vulnerabilities that enable hackers to compromise sensitive business information stored in devices used at the office.
2. Enable Hardening and Tamper-proofing: Mobile apps should offer self-defending capabilities such as code obfuscation, dynamic code execution and environment detection. In case cybercriminals can bypass network security and access mobile devices, the consumer-banking app should secure itself from the inside out and engage in its own self-protection capabilities.
3. User Authentication: Modern apps are moving away from usernames and passwords as the only user credential. Because of the variety of use cases, this may not be immediately practical. A strong modern security solution must resolve security issues while remaining flexible with credentialing processes.
a. Native authentication via the device provided biometric. Authentication just based on the resulting biometric credential isn’t enough though. The entropy of the login system should be extended with a device, application and even a relationship signature using cryptographic capabilities that persist and can’t be phished, copied, or hacked.
b. Optionally leverage new biometrics with online and offline modes. Aim to leverage biometrics that allow for ease of integration and deployment. Also look for solutions that focus on reducing false positive rates. The power of any brute-force attack will be in the ability to bypass normal biometric procedures (fake thumbprints, facial scans of photos instead of real people).
4. Encrypted Data in Transit: Provide a secure channel above TLS/SSL. By utilizing a channel above TLS, it ensures that the app is shielded from common zero-day hacks to the transport layer and attacks to common TLS libraries or undetected hacks at the OS level that corrupt the TLS function. Further look at software defined perimeter technology that allows for explicit white-listed channels (e.g. only pre-authorized users) but also allows the flow of existing TLS/SSL infrastructure.
5. Encrypted Data at Rest: Provide localized encryption scopes based on app/user/device. Look for solutions that can scale way beyond your customer base (e.g. 100’s of millions of users per instance) without impacting the customer experience. Make scopes relative to any combination of User/App/Device/Session. Ensure that captured data is encrypted and that decrypting that data requires breaking every layer of security all at once making the hack intensely difficult even for state sponsored actors. Essentially, encrypted data, if compromised, is rendered useless in the hands of cybercriminals unable to decrypt it.
6. Use a Device Fingerprint: Capture invariant device information in combination with a cryptographic signature. Keeping track of these fingerprints for each device and comparing this information against the available profile at the server ensures no unauthorized individual accesses critical business information without approval. Provide unique device identifier for alternative vendors and systems such as customer risk management and customer call center resolution.
7. Track Device Behavior: Capture variant device information. Tracking the behavior of particular devices allows detection of non-normal behavior, movement, or bot-like activity. For example, bot phones don’t shake in pockets… real phones do. By identifying phones with unusual behavior or app usage, you can limit access to information and app functionality, thereby avoiding financial or data losses to end-users.
8. Monitor Events In Real-Time: Track information around users, devices, logins, verifications, registration, and admin actions in real-time. Track the needs of your DevOps teams, specifically pertaining to CPU, Memory & concurrency of users. Anomalies identified via these reports in real-time will allow your organizations to detect potential attacks before they escalate beyond measure.
Making a Case for the Uniken SDK
If you want to secure your mobile app, you can’t leave anything to chance. You must secure all layers, all at once. But that kind of security doesn’t have to be difficult to deploy. Creating entirely secure data-at-rest containers for unmanaged customer devices has always been difficult but is very valuable to the safety of your brand and business. Uniken is a comprehensive security tool that doesn’t leave it to chance. It provides security that is above and beyond the OS (Secure Enclave for IOS and Trust Zone for Android).
In regulatory-rich verticals such as finance, banking, and healthcare, managers have both a legal, fiduciary, and business responsibility to secure mobile apps. The Uniken SDK gives developers the tools to easily build robust, scalable, and secure apps that are fully compliant with government data security and privacy legislation in such industries.