モバイル　アプリケーション　セキュリティー

Mobile application: The backdoor for hackers

Mobile applications are fast becoming the preferred method to access critical services and to be used as a management tool as part of the “Internet of Things” (IoT). Sensitive personal and business information is being accessed, stored and managed on a growing range of devices.

Criminals are aware of the value of this data – which affects a wide range of industries and sectors. These criminals are intelligent and highly resourceful and able to exploit weaknesses in platforms, operating systems and applications.

Research suggests that as many as half of mobile app users do not take any steps to protect their devices, even when aware of the risks, and so-called operating system defenses are easily broken down.

Markets linked to the future adoption and growth of the Internet of Things that are at risk include:

• Mobile Health
• Mobile Enterprise & BYOD
• Automotive Management and Security
• Mobile ID and Government systems
• Home Automation and Security
• IoT devices and networks

Application developers should always assume that their applications will be running on devices that have been - or will be - compromised and make sure applications can protect themselves.

Contrary to popular understanding, afterthought solutions to protect Apps, such as wrappers, malware detection and root detection do not work in these highly-varied mobile platforms and are impossible to apply to embedded IoT devices.

There are several reasons for this:

1. such detections work on a blacklist model - they search for known problems. This makes it an arms race and one the hackers are winning simply by using unknown and unanticipated techniques.
2. users react badly to applications forcing restrictions on how they can use their phone - some users legitimately want to “root” their phone, others do not want to be made to install anti-virus software.
3. technology developed for server or desktop networks and applications is rarely transferable to highly open devices like smartphones or to restricted instances such as IoT devices.

Security at an early stage in the design process

To protect employers and users, mobile application developers need to consider security early in the development process. To do that they need to ensure that the following have been applied to their applications to secure them from any potential leak of sensitive data:

• Code integrity checks: prevents any unauthorized changes to the mobile app.
• Code obfuscation: hides critical and sensitive portions of a mobile app.
• Whitebox cryptography: enables secure encryption and data storage on any platform
• Processor native code: provides a solid foundation from which to build the security layers.

Criminals are aware of the value of this data – which affects a wide range of industries and sectors. These criminals are intelligent and highly resourceful and able to exploit weaknesses in Platforms, Operating Systems and Applications.

Research suggests that as many as half of Mobile App users do not take any steps to protect their devices, even when aware of the risks, and so-called operating system defenses are easily broken down.

Markets most at risk:

• Mobile Financial & Payments
• Mobile Health
• Mobile Enterprise & BYOD
• Automotive Management and Security
• Mobile ID and Government systems
• Home Automation and Security
• IoT devices and networks

Application Developers need to be aware of this and should always assume that the devices their applications are running on devices that have been - or will be - compromised and act accordingly. This means that developers need to take responsibility of making sure their applications protect themselves.

Contrary to popular understanding, afterthought solutions to protect Apps, such as Wrappers, Malware Detection and Root Detection, simply do not work in these highly varied Mobile Platforms and are impossible to apply to embedded IoT devices.

There are several  reasons for this:

• Such detections work on a blacklist model - they search for known problems. This makes it an arms race and one the hackers are winning simply by using unknown and unanticipated techniques.
• Users react badly to Applications forcing restrictions on how they can use their phone - some users legitimately want to “root” their phone, others do not want to be made to install anti-virus software.
• Technology developed for Server ot Desktop networks and applications is rarely transferable to highly open devices like Smart-Phones or to restricted instances such as IoT devices.

These problems can be avoided if security is considered early in the development process.

To protect their services and users, Mobile App developers need to ensure that the following techniques have been applied to their applications securing them against potential compromise:

• Code Integrity Checks: Prevents & detects unauthorized changes to the mobile app.
• Code Obfuscation: Hides critical and sensitive portions of a mobile app.
• WhiteBox Cryptography: Enables secure encryption and data storage on any platform.

Inside Secure delivers is.Core (Integrity Check System, Obfuscation) and is.WhiteBox (WhiteBox toolkit) combining these techniques into a comprehensive package of a Software Secure Element (SSE) that has been deployed in more than 400 million mobile applications to secure Mobile Financial, Entertainment and Mobile Payments services. These applications are regularly subjected to extensive penetration and attack testing by external security labs.

"Protect your mobile applications to keep your connected world safe"