The Register reported in September that a large Canadian bank suffered a major security leak of “among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances.”
The publication reported that “among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of the Scotiabank’s mobile apps for Central and South America, were credentials and keys to access some of the bank’s backend systems and services dotted around the world. Among the more sensitive blueprints was code and login details for what appeared to be a SQL database system of foreign exchange rates.” Jason Coulls, the IT professional who discovered the leak, referred in the article to the bank’s security as “Muppet-grade.”
How to Prevent Muppet-Grade Security
Security breaches can originate from a myriad of mobile threat vectors.
The Scotiabank breach occurred via GitHub, which by itself was shocking. Still, what this breach shows is even more telling. Critical data like mobile app source code, credentials and keys to access the bank’s backend systems and services are in the clear, not just on GitHub but in the app itself.
If the famous Muppet, Kermit the Frog, were a security expert; he would agree that mobile security is not easy.
Why? Because the attack surface of a mobile app is so vast and diverse, usually mobile app security falls behind features needed in the app.
Security professionals know that the best approach to mobile security is a layered mobile defense that comprehensively covers the multiple areas that are susceptible to attack. While Scotiabank’s breach was discovered “where they stored their code,” the same information is already out in the wild in every public app published without in-app security features.
There are 4 key reasons why your mobile app might have Muppet-grade security:
- Your mobile app operates on public devices (known as zero trust environments). This means that developers don’t control the device nor the connections the app uses.
- Your security model doesn’t support your choice of frameworks. Modern dev frameworks include Swift, Java, X-Code, React Native, Xamarin, Cordova, each requiring a different approach to secure Android and iOS apps. Some security vendors simply don’t work (or work well) with modern frameworks.
- Your mobile app uses 3rd party components. Third party libraries, SDKs, and APIs can improve the function of your app while, at the same time, open up new security holes that hackers can exploit.
- Your mobile app isn’t protected by the basic security measures. Every app should have the basic protections for the app, users and user data. These basic protections include encryption, obfuscation and app shielding.
Recommendations for Mobile App Developers
The key lesson I learned, and one that all developers should take away from the Scotiabank example is that “if your data and source code are valuable enough to protect in GitHub, that data and source code is valuable enough to be protected in your app.” This is the Golden Rule that every developer should follow.
The Appdome Mobile Security Suite provides developers with an instant no-code solution to follow this Golden Rule and prevent Muppet-grade security.
- TOTALData Encryption encrypts data-at-rest, data-in-use and data-in-transit encryption.
- TOTALCode Obfuscation obfuscates the binary code, native and non-native libraries, and the app’s flow control and logic.
- Secure Communications protects data at all points that are ‘in-transit’ and ensures the validity of all end points and any intermediate systems in between an app and its backend.
- OS Integrity protects the app from operating in unsafe environments, such as on Jailbroken/Rooted devices.
- ONEShield by Appdome hardens the app to protect your IP from attempts to tamper with or reverse engineer the app.
By protecting your mobile apps with Appdome Mobile Security Suite, mobile app developers and non-developers can use a non-cascading, multi-layered defense to protect against any security threat their apps can be faced with.
And it can be implemented in minutes, or fully automated and integrated into your DevOps and CI/CD workflows.