Credential Stuffing is top of mind with security engineers these days. Here at Appdome, we talk to several customers per week who are looking for protection against Credential Stuffing. According to OWASP, Credential Stuffing is one of seventy-three different application security attacks currently posing a risk for application security professionals.
OWASP describes Credential Stuffing as “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.”
Most organizations believe that protecting their corporate and customer data from Credential Stuffing attacks ends at protecting the app servers. Unfortunately, compromised mobile apps can help attackers with their Credential Stuffing attacks. Even worse, a compromised app can in some cases help the hacker bypass all the app server protections. In fact, a badly compromised app can “roll out the red carpet” for hackers.
The Threat Posed to Mobile Apps by Credential Stuffing
To understand the threat posed to mobile apps, let’s ﬁrst understand how attacks like Credential Stuﬃng work.
- Credential Stuffing happens only if the hacker knows how to mimic the app. That is, credential stuffing happens only if the hacker understands the app and how it requests access. The hacker has to “pretend” to be the real app. To do this, the hacker has two options: (a) trial and error (i.e., guess how the app works), or (b) hack the app and build a replica in a server farm somewhere. Once the hacker gets it right, he or she (or “it”) impersonates the app over and over until it gains access to the data sitting in the data center.
- Using stolen credentials aids the attacker because it reduces the number of attempts needed to access the back end. As a hacker, I can get credentials from all sorts of places – from the Dark Web (buy them), from Phishing or Pharming (get them), or hacking the code of the app (stealing them). Just like you and I guess at a contact’s email address at a company, hackers do the same thing with credentials. Once the hacker compromises an app and understands the logic of the app, the guessing game suddenly becomes a lot easier.
- User Names and Passwords are stored either as (1) data generated by the app or (2) in in-app preferences and secrets. They are (in most cases) not encrypted. This makes it even easier for a hacker to launch their attack.
- Similarly, Server names and passwords are stored (typically) unencrypted, either as (1) data generated by the app or (2) in in-app preferences and secrets. This gives the hacker an open invitation to launch their attack.
The bottom line, you have to protect the app and the app server if you really want to root out hackers infiltrating your mobile app infrastructure.
A Layered Defense is the Best Defense
Security professionals know that the best security requires a layered defense. Appdome’s MobileTRUST™ provides a comprehensive layered defense to the challenge of Credential Stuﬃng and for that matter, to any other mobile attacks.
There are 5 layers to Appdome’s MobileTRUST:
- Shield the app against hacking with ONEShield™;
- Encrypt all data-at-rest stored inside the app with TOTALData Encryption;
- Obfuscate the app’s logic, structure, and code with TOTALCode Obfuscation;
- Secure all communications channels for data-in-transit protection, and validate entities between the app and server with Trusted Session Inspection with Trusted CA Pinning;
- Prevent apps from running on a non-secure device with Jailbreak/Rooted Prevention.
These layers are non-cascading, meaning that a breach in one layer doesn’t impact the other layers. Appdome’s no-code mobile app enhancement platform allows anyone to add MobileTRUST to any Android or iOS app in seconds. With Appdome, organizations avoid the manual and laborious work of coding different security vendor SDKs into their apps.
To achieve feature parity with MobileTRUST, using manual approaches may require you to implement up to 10 different security solutions.
Recommendations to Protect Mobile Apps Against Credential Stuffing and Other Vectors of Attack
Using Appdome to protect your mobile apps against Credential Stuffing and all other vectors of attack is simple: Upload an app binary (.apk or.ipa). Select the security options you want to add and click “Build My App.” Appdome uses a proprietary AI-Mobile Integration coding engine to complete the integration in under a minute. Appdome is 100% compatible with all Android and iOS native, cross-platform, hybrid, and non-native apps, developed in any framework.
Appdome MobileTRUST offers an instant implementation of the world’s most comprehensive layered defense against all mobile attacks, with a guaranteed outcome and zero codings. Download your free copy of the Developer’s Guide for Mobile App Security to learn more.
Start protecting your mobile apps against Credential Stuffing today. Create your Appdome account now.