Since the concept of IoT has been floated, along with growing marketing penetration of smart phones and high-speed mobile internet connections, mobile application development industry outperformed its growth forecast every YoY tenure. From 2014, mobile commerce has outperformed its desktop counterpart for third consecutive year to confirm the new trend. During the year ending June 2017 Apple App Store has clocked 50 Billions of app downloads which over 350% higher than the number of downloads recorded 5 years back during the year ending June, 2012.
In 2016, global mobile app revenue stood at $ 88.3 Billion USD (+ 27% from the number recorded in the previous year) and anticipated to be at 190 Billion by 2020.
Since a new trend in consumer preference has been set, tech savvy businesses has been quick to respond to the new demand and presented their platform/product/services at the fingertip of the consumers within shortest possible time. Most of the global e-commerce players has already reported a greater share of conversions from their mobile platforms while new players kept coming in either to throw tough challenge to the segment leaders or with their unique concepts to add a little bit more to the capacity of smart devices.
However in this process of quick formation and transition application security has been something which did not get its deserved attention and as very quick consequence startups has been taken the biggest hit by keeping themselves exposed against the will of their larger counterparts or even against an adventurist in the application security domain.
La Manguste puts its effort to identify top 5 threats for mobile app businesses which must be neutralized to maintain consistency over operation –
Since the word “Distributed” has been added to “DOS” the matter has been a nightmare for any web server. For those new to the internet threats, DDOS is an proven and commonly practiced way to block resources of an web server by overwhelming it by sending hits/requests/ queries from a large number of terminals at the disposal of attackers. Any mobile application which serves dynamic contents to its users must be backed up by a web application hosted on a sever under control of the application owner and available at port 80 or port 443 with or without additional security/authentication. This part is always exposed to DDOS attacks of any dimension depending on the intelligence of an attacker. The damage may not be only limited to unavailability of the web server to serve requests from real users but may expand by blocking other resources of the business.
Blocking of physical resources occurs for the businesses which allow temporary reservation of certain resources without any payment transaction. For example think about a ticket booking application which keeps chosen sits blocked for few minutes to prevent collision of choice while the users are in payment process. Two biggest operators in the transport industry, Uber and Lyft suffered DDOS attacks which kept all of their vehicles from certain cities got booked just get cancelled after few minutes. At the least, a formidable DDOS attack can overflow your credit limit to your hosting company.
Bruteforce is the way to hit and try an array of auto generated passwords against one or more user accounts of an web or mobile application. A serious brute force attack always comes in combination with DDOS where multiple terminals is used to increase the speed of the process. Social Medias and banking systems are toughest challenge for brute force attackers (since users are more prone to use a stronger password) and also has been the largest victim of brute force attacks. But smaller and less important mobile applications are practically the soft targets as users are more likely to use a mild password for such apps. Normally smaller mobile applications faces application targeted attacks where a large array of user accounts are brute forced to obtain a list of stolen passwords. This handovers the control of a significant number of user accounts to the attacker which then can be used for information gathering, privacy violation of users, tempering business reputation etc.
Data Theft/ Data Destruction
SQL injection has topped again In OWASP 2017 Top 10 mobile application threat report not only because it has been most widely used way of attacking a mobile application but also because of the quantum of damage it has cumulatively inflicted. Loosing/disclosing massive amount of data to attackers as a consequence of insufficient security against SQL injection attacks is a real possibility for any mobile application however smaller applications remain highly exposed due to lack of knowledge of mobile application developers and also for how the they store and preserve data into their backend. The magnitude of damage is directly varies with the quantum of data stolen or destroyed and ofcourse the importance of data. For a mobile application owner it should be utmost important to consider the amount of information they are gathering from their users and their ability to protect the information. An application owner can be held legally responsible for any damage the attacker makes to the users whose information has been compromised.
FTP Security Compromise
Webserver FTP security breach is another threat having the capacity to throw a mobile application business out of the business in a single attack. Any mobile applications using web services must be connected to a web server which stores several files supporting the operation of the application including source codes, scripts, user uploaded files such as media files and documents. Webservers remain accessible to remote systems through FTP connections. An highest level of FTP access present the entire backend system to the disposal of an attacker by granting access to whatever files are there in the web server. Local network security breach for the remote systems being used to make FTP connections with the web server is primarily responsible for sniffing of FTP passwords. However a breach at the hire level (access to the entire server rather than a single instance) is not rare incidents for web servers allowing non SSL ftp connections. Breach of FTP security enable an attacker to collect backend application source codes which may expose your proprietary business logics, enables an attacker to make a more organized SQL injection attack by disclosing crucial information about the database (sometime even the database credentials). The attack can make greater harm to the applications which stores user uploaded files. Imagine about the media storage of a social media or resume storage of an employment application.
Like a websites the application backend can be infected by malware which put it straight out of work by either by disengaging web services or by blocking server resources using recursive functions. A malware infection can be originated by the breach of security of the web server or any other application using the same sever. At the least a malware attack puts your mobile application out of work till the time it has been cleaned. Modern malware attacks are intended to do far more damages including disclosing crucial information about the database and forcing application to distribute malware to consumer mobile devices.
In case you are not sure about your mobile application security or your contingency plan to mitigate such risks you might consider to ask a mobile application security expert today.