Mobile App Security: Uncovering the Risks of Secret Theft at Runtime
This is our second blog highlighting the results of the Approov Threat Lab Report.
In our previous blog we looked at why secrets such as API Keys should never be allowed to get in the hands of hackers, and we saw that the Approov Threat Lab found that the top finance apps immediately gave up an embarrassing amount of secrets without putting up much of a struggle.
The team also researched the runtime security of apps and I want to dig into that a little more in this blog.
As a reminder, at the beginning of 2023, the Approov Mobile Threat Lab released research describing the automated inspection of the top 200 financial apps in four countries in terms of downloads: US, UK, France and Germany - a total of 650 unique apps which together serve millions of users and manage billions of dollars, euros, pounds and various cryptocurrencies.
Secrets can be stolen in many ways. They can be taken from repositories, they can be exposed in app code or they can be intercepted when an app is running. In general, hackers apply a two stage process: first steal useful secrets and then use them to create scripts and bots to access APIs, in order to steal data and derail services. The full report is available for download here.
Source: Approov.io
Let's look at what the research found about how well protected apps were at runtime.
The Runtime Problem with Mobile Apps
Even if keys and secrets cannot be easily reverse engineered from the mobile app code, hackers can get another opportunity to grab secrets at runtime by manipulating the app, the environment and/or the communication channel(s).
The Threat Lab looked in particular at two runtime attack surfaces: “Man-in-the-Middle (MitM)”, where the communications channel between app and API is hacked and “Man-in-the-Device” where the client environment that the app is running in is manipulated.
The team did not actually carry out runtime attacks (that would be hacking), but managed to get a surprising amount of information from static scans of the mobile app packages. This is a problem since hackers can do the same and easily and quickly see whether your app is vulnerable and which runtime extraction approach will work best.
Man-in-the-Middle
The communication channel between apps and APIs presents a rich target for hackers via Man-in-the-Middle attacks, which can be used to bypass advanced security measures such as MFA. In the mobile use-case, deploying Transport Level Security (TLS) alone is not sufficient since tools installed in the device can easily intercept encrypted communications and interfere with the truststore.
MitM attacks occur when an attacker intercepts or manipulates mobile device communications to gain access to sensitive information. They give attackers the ability to see any communications, modify messages, steal login details or certificates, even when traffic is encrypted.
The Threat Lab researchers used tools to inspect the network_security_config.xml file. This file lets developers customize an app's network security settings in a declarative way separate from the app code. By inspecting this file it was possible to see:
There is much more detail about this in the full report but in summary, the team classified apps as Protected against MitM if pinning is detected in the network config file and no other red flags are raised and Vulnerable to MitM if the config file showed no pinning was in place and CAs, cleartext traffic and Android versions were not being properly restricted.
Recommended by LinkedIn
Source: Approov.io
Man-in-the-Device
Although rooting, jailbreaking or other manipulation of the mobile device environment do not always mean that malicious activities are taking place, these are common techniques used by attackers and pentesters to bypass security mechanisms and limitations imposed by the original version of the OS.
Rooted and jailbroken devices pose a threat to device integrity because these actions enable the in-built security mechanisms to be compromised. The threat extends to mobile app integrity because the mobile app is now running in an environment that cannot be trusted. Another form of code tampering is to inject code at runtime by using an instrumentation framework.
Such frameworks are used to hook into the key functions that, when manipulated, will produce different app behavior than expected or will change input parameters or output results. Fraudsters can intercept and modify genuine user instructions.
Again the scanners used were able to make some basic evaluation of the types of protection in place to prevent runtime manipulation of the environment, for example determining the presence of:
Some Runtime Research Findings
The research found that:
Is Your App Protected at Runtime?
If you are reading this then you may be concerned about the security of your own app. You should be! Our investigation found that 99% of the app packages inspected indicated they were not implementing protections to prevent secrets such as API keys from being extracted from the running app.
You can check your own app using the information in the report or feel free to contact Approov- we will be pleased to check your app for you.
No doubt the development teams behind these apps try to shift-left” and remove vulnerabilities during development. They also apply obfuscation techniques. This research however shows that these approaches are grossly inadequate, eliminating neither the risk of “zero day” vulnerabilities nor preventing loss and abuse of API keys at runtime.
Runtime security is needed, in order to protect the app, the client environment and the communications channel from the app to the cloud. Such a solution should:
Such solutions are available, so there really is no excuse! Let's hope when the Approov Threat Lab does this exercise next time there is a marked improvement in the security of these critical financial apps!
Download the full report to see detailed data, country by country, category by category, as well as detailed recommendations on how to better manage and protect secrets in mobile apps.