Application Security Redux: It’s All about the Apps (Part 2)

If you would like to read the first part in this article series please go to:

Introduction

Application security is more important than ever, as operating systems take a back seat and it becomes “all about the apps.” In this article series, we got started in Part 1 with a broad overview of application security, and specifically the different components of an effective and comprehensive application security strategy. We began to address some of the different types of application security issues, and we focused on coding defects, how they occur, types of app vulnerabilities, and how to prevent or fix them.

Protecting applications from malicious software

Malware of all kinds – Trojans, viruses, worms, spyware, ransomware, scareware and many others – is a huge problem and it’s growing every year. According to statistics from the AV-TEST Institute, more than 390,000 new malicious programs are registered every day, and the annual incidence of new malware has gone from fewer than 10,000,000 in 2006 to more than 140,000,000 in 2015. A little less than a year ago, CNN Money put the figure of new per-day releases at almost a million, and Kaspersky reported repelling over 798,000,000 separate attacks in 2015.

We’re still in the first quarter of 2016 at the time I’m writing this, so it’s difficult to predict whether and how much the malware threat will increase between now and the end of the year, but it’s a safe bet that it’s going to continue to be one of the top security issues for everyone from home users to the largest enterprises, on both traditional desktop and modern mobile devices.

Applications are a favorite target of the malware author or attacker for several reasons. When stealing data is the goal of the attack, the application that uses that data is the logical point for intercepting it. When sensitive data – such as social security numbers, credit card and bank account numbers, medical information and so forth – is sitting on the hard drive, unused, it is (we hope) encrypted. If an application decrypts it in order to use it, it’s exposed and the attack has a window of opportunity.

Malware can make changes to the applications themselves; for instance, the app could be modified so that it automatically sends copies of the data files it opens to the attacker. Malware that targets applications can be especially difficult to detect. Malicious code can be designed to disguise itself, and can even change the security log entries and turn off anti-malware software.

Secure code signing can help to protect against malware by authenticating the source and identity of a program before you run it, but it’s important to remember that the protection offered by signed code is only as good as the integrity of the certificate used to sign it. Attackers target the private digital certificates that software companies use to sign their code for theft, so they can use it to sign their malicious software so that it will appear to be trustworthy. Theft of code-signing certificates and their digital keys have been a big problem over the last few years, with well-known and respected companies having to revoke their certificates after they have been compromised. There have also been cases where the Certification Authority that issued certificates didn’t properly verify the identities of the companies to which they sold the certificates, or issued certificates with weak keys that could be cracked.

Mobile app security

Of course, application security these days is more and more about mobile apps, as so many people use tablets and smart phones for work. Often these are employee-owned devices in a BYOD environment, which makes it more of a challenge to protect them from malware.

Mobile apps developed in-house are increasingly common. There are many benefits to having your company’s own developers create custom apps that meet your line-of-business needs. However, many talented devs are not experts in security, and many companies don’t employ staff application security experts to test these homemade apps and discover any vulnerabilities that might have crept in during the coding process.

There are solutions. A number of vendors offer application security assessment services and tools. Last year (2015), Gartner published their Magic Quadrant for application security testing that named HP (Fortify), Veracode, IBM (Security AppScan) and WhiteHat Security as the leaders in this space, out of the nineteen vendors they considered. They based the evaluation on the testing methods that the companies used (static, dynamic, interactive and/or mobile application security testing) and how they were implemented. Such services and tools can also be used with traditional desktop applications as well as mobile ones. There are also free/open source tools that you can use to detect vulnerabilities in mobile applications, such as nogotofail, which is available on Github.

Both devs and users need to be aware that when an app requests excessive permissions (which most users automatically grant), this can give malware an entryway to infiltrate the device. Only those permissions that are actually required for the app to perform its purpose should be requested, and users and IT personnel should consider that some nice but not necessary app features or functions might need to be disabled in order to provide greater security.

Protecting against Malicious Mobile Apps

It’s important to understand that mobile application security has multiple facets, just as desktop application security does. One prong of our defensive strategy is to protect against vulnerability exploits, as we discussed in Part 1 of this series. A second step is to protect our apps and our devices against malware.

When we think about malware in relation to desktop applications, most of us think first about the malicious code that is often installed via “drive-by downloads” when a user visits a web site that contains the malware (either a site hosted by the malware distributor or a legitimate web site that is unknowingly spreading the malware through user-uploaded content). Less often, the malware is installed directly and unknowingly by the computer user (although the user doesn’t know that it’s malware), when he/she downloads and runs a program that is supposed to serve a legitimate purpose.

Today, most users don’t install a lot of programs on desktop machines, even when they can. Users with new Windows computers might install an Office suite, a PDF reader, a graphics editor, an alternative web browser – but a large proportion of these will be well-known commercial software packages such as Microsoft Word or OpenOffice, Adobe Reader, Photoshop, Chrome or Firefox.

In the business environment, IT usually locks down user accounts so that they can’t install new software programs. Software is deployed by IT, so it has been vetted and you have control over it. With mobile apps on user-owned devices, this might or might not be the case. Users, especially younger and more tech-savvy ones, are used to installing mobile apps more casually than most users install desktop applications.

Installing apps only from the “official” sources – Apple’s App Store, Google Play Store, Windows Store – can help users protect against installing malware, but it’s not a perfect process. Malicious software has gotten through the vetting process. Last September, Apple confirmed that malware-infected apps had been found and removed from its Chinese App Store. A month later, malware called Ghost Push was discovered in some of the Google Play Store apps.

While anti-virus and anti-malware software is usually the first thing installed on a desktop operating system (and such protections are often explicitly built into the OS), far fewer users install such security software on their smart phones and tablets, and many don’t even know that it’s available and/or that there is a need for it.

Mobile security software does exist and can be helpful, but there are also apps that advertise themselves as “anti-virus” or “anti-malware” that are ineffective in protecting mobile devices, or worse, that are actually malicious software themselves. In 2014, a fake anti-virus app for Android called Virus Shield was removed from the Google Play Store, but not until after approximately 10,000 people had paid for it.

Mobile malware protection must be part of your application security plan, and that means creating and enforcing policies that apply to BYOD devices, including requirements to encrypt devices and data, keep mobile operating systems and apps updated, and banning jailbreaking or rooting mobile devices that are used on the corporate network. Enterprises should think seriously about setting up their own enterprise app stores for distributing approved apps – including anti-malware software that has been vetted and tested.

Summary

Now that we’ve discussed application vulnerabilities and how to deal with them in Part 1 and here in Part 2 we’ve talked about how to prevent tampering or access to apps and protect applications from malware, in Part 3 we’ll discuss how you can block undesirable applications and restrict what users are able to do with the apps that you do allow them to use. Be sure to join us for the next installment.

If you would like to read the first part in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top