Mobile App Security and Best Practices: Leveraging the OWASP 3-Layer Model
The mobile attack surface is expanding. As of January 2018 there were 3.7 billion unique mobile users worldwide choosing from more than 10 million verified applications across popular online stores. So it’s no surprise that security firms now detect millions of malicious install packages each quarter as hackers look for ways to compromise both existing mobile devices and their newest iteration, IoT.
In an effort to address the changing nature of mobile security the Open Web Application Security Project (OWASP) — well-known for its “top 10” vulnerability lists — has released version 1.0 of its Mobile AppSec Verification Standard (MASVS), which includes a three-layer model for application defense designed to “offer a baseline for mobile application security (MASVS-L1), while also allowing for the inclusion of defense-in-depth measures (MASVS-L2) and protections against client-side threats (MASVS-R). Here’s how your organization can leverage these layers to improve overall mobile app security.
State of (In)Security
Smartphones and their companion applications were originally regarded as idle pastimes, not critical business resources. The rapid evolution of mobile devices combined with increasing diversification and sophistication of apps, however, made them tempting targets for malicious actors — especially as traditional network security measures began to push back against common malware threats.
The result? Hackers are now using mobile devices to fast-track corporate compromise. As noted by Engadget, mobile malware strain ZooPark can “spy on nearly every Android smartphone function and steal passwords, photos, video, screenshots and data from WhatsApp, Telegram and other apps”, effectively tracking every action taken by phones and users alike and then exploiting them for criminal gain. Or consider the once-vaunted security of iOS, now revealed to be just as vulnerable as any other operating system. According to DZone, iOS apps often encounter security issues related to insecure storage on the device, insecure network communications and weak authentication, any of which could lead to compromised, exfiltrated or destroyed data.
Bottom line? The current state of mobile security is distinctly lacking, with many app developers and companies focused on their perception of mobile as less valuable to cybercriminals instead of acknowledging the reality of mobile app risk. Part of the problem stems from the sheer number of mobile apps and devices in use: How do companies effectively secure this type of attack surface, especially as new applications and devices are continually added to the network?
MASVS-L1: Standard Security
OWASP’s first level of mobile application security verification targets app security best practices. This means fulfilling “basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment”, along with a testing process to verify any security controls.
Think of MASVS-L1 as the demarcating line between “adequate” and “sufficient” mobile security. As noted by ISACA, many companies adopt an adequacy-based approach to mobile security: So long as major issues aren’t being reporting and apps continue to function, security controls are doing their job. But as ISACA points out, this is effectively a “C minus” security grade: Passing, but “hardly indicative of mastery of a subject”.
MASVS-L1 looks to help companies achieve sufficient mobile security by focusing on initial code quality, defining best practices for data handling and ensuring all results can be replicated. As noted by the OWASP guide, this level of security is appropriate for all applications.
MASVS-L2: Defense-in-Depth
The next level of mobile security verification is designed to help secure applications which handle sensitive data such as financial or healthcare records. Two key components are critical to achieve L2:
Threat profiles are essential because the goal of this verification level is to detect, identify and mitigate specific mobile threats, such as account takeover (ATO) or man-in-the-middle (MiTM) attacks. Achieving this goal means first defining the current threat landscape and then working backward to determine appropriate app response.
In addition, security must part of the application itself rather than bolted-on after the fact. As noted by CIO, this type of security-by-design is now critical to secure emerging IoT environments, and is essential for mobile applications to meet the next generation of data-handling standards such as PCI-DSS 3.2, HIPAA and SOX. In practice, this means applying techniques such as application obfuscation and hardening to natively protect against both passive and active attacks.
MASVS-R: Resiliency
OWASP’s final layer focuses on resiliency: The ability to defend against “specific, clearly defined client-side attacks, such as tampering or reverse engineering.” This is critical for applications which handle intellectual property, transfer funds or must safeguard IP addresses — if source code can be easily tampered with or reverse-engineered, supposedly secure apps could provide the key to hacker success.
By leveraging a combination of hardware security features which prevent tampering and software-based tools such as runtime mobile app protection, companies can develop mobile apps capable of both resisting attacks and responding automatically to potential threats.
As noted by the OWASP guideline, layers can be used in isolation or combination: L1+R might be used protect mobile gaming apps from cheating or unapproved modification, while L2+R could help tamper-proof financial apps and force malware makers to find other targets.
Layer by Layer
Attackers are getting bolder and more sophisticated as mobile applications become integral to business function. While no defensive protocols offer complete protection, OWASP’s MASVS guidelines provide foundation necessary to create layered, long-term application security.