By Andrew Whaley, VP Engineering at Arxan Technologies
A newer wave of companies are focusing on mobile-only offerings, while there have also been advancements around app-based robo-advisors and chatbots in recent years.
As firms rush to stake their claim in the increasingly digital market, many are deploying the popular “hybrid app” approach to cut down on development time and costs. The technique sees developers create the app in HTML or JavaScript, usually reserved for website development, and then wrap it in an application layer that allows it to function on a mobile device. The main benefit to this approach is that the app can be developed as one base code which can then be easily ported between different platforms, enabling the company to have a presence on both Android and Apple devices without the time and expense of having to start from scratch. There are also many frameworks available to make the process even easier, and as a result, the technique is widely used in many other industries, particularly in mobile gaming and digital media services, as well for devices such as smart TVs.
Increasing risks
However, although the hybrid app approach will enable an insurance firm to deploy its app more quickly and widely, it also brings a fresh set of risks. Mobile apps always come with an extra degree of risk in the first instance, as once an app is available for download, criminals can immediately get a hold of it and begin searching for weak links in its security. While all apps are at risk, anything with more sensitive information, such as personal and financial data are a prime target – which includes any insurance apps with any functionality around managing or making claims.
Hybrid apps can introduce even more risk than standard mobile apps as the JavaScript HTML source code requires less skill to reverse engineer and tamper with than native binary code. Once an attacker is able to access an app’s code, they can modify it for a whole host of malicious activity. Some examples would be disabling security controls and bypassing other restrictions which would enable them to access and transmit data that should normally be secure. The fact that it runs in a browser also means things like remote man-in-the-middle attacks, where data is intercepted as it is transmitted, are even easier. Runtime data such as financial and personal information can be stolen while the app is in use, and the app can even be used as a vector to attack other applications on the device.
If an attacker is able to find the security keys hidden in the app’s code, they can even attack the insurance company itself, potentially using the keys to access anything on the network that the app was authorised for. Another popular tactic is to create a malicious copy of the app which is loaded with malware, and republish it for download. While these copies were previously only found on unofficial download pages, there have been examples of them making their way onto authorised app stores and the company’s own website.
Protecting hybrid mobile apps
While hybrid apps can be more hazardous, insurers can still enjoy their reduced costs and development time without putting themselves and their customers at risk if they deploy additional security to counter the weak points.
One of the most effective approaches is to combine obfuscation with runtime protection techniques and apply them to the JavaScript code at the heart of the app. Obfuscation renders code into unusable mess for any attackers, and can be combined with other approaches such as hiding text encodings and data values, and changing easy-to-understand program symbol names. This means that even if an attacker is able to access the code, it will be far more difficult for them to decipher anything useful from it.
Runtime protection meanwhile essentially makes the app’s script self-defending. Anti-tamper controls can be woven into the code, enabling it to checksum itself in runtime. This means that each time the app is booted up, it will check its own code to confirm it is in its original state and has not been tampered with. It can be programmed to respond to changes by becoming inoperative or even alerting the developer. Alongside this, the app can use runtime profiling to check what kind of environment it is in. A popular technique for attackers is to lift the code from the app and run it in a sandbox environment where it can be better probed and attacked – something that is even easier to achieve with the JavaScript-based code used in hybrid apps. With runtime profiling in place, the app will detect if it is in an unusual environment rather than a proper mobile device. As all of this is hidden within the JavaScript code itself, so it is still effective even if app is disassembled.
By focusing on protecting the JavaScript at the heart of the app, insurers can continue to reap the benefits of hybrid apps without compromising security, claiming a greater share of the digital marketplace by deploying across more platforms without incurring extra costs and development times. At the same time, they can be sure they are not putting themselves or their customers at risk by exposing them to cyber attackers hitting soft targets for an easy payday.
|