threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/defend-app-impersonation/176519/
Submission: On December 09 via api from US — Scanned from DE
Submission: On December 09 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /defend-app-impersonation/176519/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/defend-app-impersonation/176519/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="176519" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="e98d999631"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="y0KHjqnA7oS3tiajpeuHo0pp8" name="nb8nBYhRj338A2ku7oLzKNEfI">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1639068658053">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Name
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Common Cloud Misconfigurations Exploited in Minutes, ReportPrevious article
* Attackers Will Flock to Crypto Wallets, Linux in 2022: PodcastNext article
InfoSec Insider
HOW TO DEFEND AGAINST MOBILE APP IMPERSONATION
Author: David Stewart
November 23, 2021 9:00 am
4 minute read
Write a comment
Share this article:
*
*
Despite tight security measures by Google/Apple, cybercriminals still find ways
to bypass fake app checks to plant malware on mobile devices. Dave Stewart, CEO
of Approov, discusses technical approaches to defense against this.
Most users who install applications through legitimate channels such as the
Google Play Store or the Apple Store do so with complete trust that their
information is safe from malicious attacks. This makes sense, because they’re
the official app stores for across the globe.
However, despite tight security measures by Google and Apple, cybercriminals
still find ways to bypass these checks. They do this through app impersonation.
For instance, since Android lets users side-load and install apps downloaded
from non-store sources, cyberattackers take advantage by creating clone apps
that mimic legitimate ones. They then use the fake apps to collect data or
credentials for malicious use.
An example was when India banned TikTok. A clone called TikTok Pro came up
immediately with malicious intentions to steal data from users’ devices.
Attackers also took advantage of COVID-19 fears to collect user data through
fake tracking apps.
Cybercriminals are capitalizing on the remote-work trend as more companies allow
employees to access business applications through mobile devices. Additionally,
personal internet networks rarely have the kind of security measures available
within an office environment, such as firewalls, which creates ample room for
attackers to scrape business data.
Below we look at ways to identify app impersonation, tools to defend yourself
from attacks and measures to put in place for better security.
2 TYPES OF APP IMPERSONATION
In addition to the examples given above, app impersonation occurs in many other
ways. Remember, the sole nefarious intent of a cybercriminal is to access user
data, backend APIs and business information. Below are the two primary app
impersonation methods identified in 2021:
1. FRAUDULENT APPLICATIONS
Hackers have found an opportunity through cloning applications by creating
similar-looking applications that impersonate legitimate ones. Hackers collect
sensitive information such as banking details, credit-card information and
biometric information through the cloned applications.
As much as Google Play has implemented more robust security measures, they
sometimes prove ineffective because this is purely a cat-and-mouse game; as soon
as the rogue mobile apps get pulled out of the store, they come in again in
another guise. Moreover, side-loading of apps is inadvisable but still happens,
creating another attack vector.
Cybercriminals use the information they steal for malicious purposes like
account takeover, to redirect payments or to syphon off rewards points. Or, the
objective may be as simple as selling personal information on the Dark Web.
2. API MANIPULATION
API manipulation is a mechanism aimed at stealing business or personal data, or
gaming a company’s business for commercial gain. It’s carried out by exploiting
vulnerabilities or bugs in the APIs themselves, or by using valid credentials
which have been stolen from other businesses – or bought on the Dark Web – in
order to access back-end systems. Both attack vectors are based on scripts and
use API keys which have been extracted from the mobile apps. Gartner’s research
estimates that APIs will be the leading attack surface by 2022.
HOW TO DEFEND AGAINST APP IMPERSONATION
These are three main methods that have proven effective defenses against mobile
app impersonation:
1. IMPLEMENT API DEFENSE MECHANISMS
Many people believe that protecting mobile apps protects the APIs that they
consume. Unfortunately, this is false logic. In reality, a genuine mobile app is
a hacking toolbox for bad actors since they can use it to architect and
implement fake versions of the app.
Further, they can study the API requests/responses and quickly build a script
which generates API sequences which are indistinguishable from genuine mobile
app traffic.
It is therefore important to consider API security separately from mobile app
security. An effective API-protection tool must be able to verify that incoming
API requests are coming from genuine mobile app instances which are operating in
uncompromised runtime environments.
3. UTILIZE APP ATTESTATION
Attackers know that if they can get a fake app installed on your mobile device,
they can manipulate your intentions as well as extracting valuable business and
personal data. Preventing fake apps from entering the official app stores is
probably impossible, as is stopping users from side-loading apps from other
sources, but what can be done is to ensure that none of these bad apps can
communicate with your backend systems.
Mobile app attestation is a highly cryptographically secure method through which
an app can be proved to be a genuine instance of the original app which was
uploaded into the app stores. If this proof can be passed to the backend system
along with each API call, it is possible to shut out all fake apps, regardless
of if they came from the app stores or through side-loading.
3. CONDUCT REGULAR PENTESTING
Penetration testing regularly exposes vulnerabilities by simulating potential
attacks on your application to identify loopholes before hackers gain access to
them. The best practice is to work with an external pentester, because they’re
less familiar with your systems and can independently identify flaws more
effectively.
There are two pentesting methods:
* Internal pentesting: Where testing occurs behind an app’s firewall to
simulate an inside attack such as someone using stolen credentials.
* External pentesting: An external pentest simulates attacks on public company
assets such as a website and mobile applications, to identify potential
loopholes that attackers might use to attack the company or its customers.
BEST PRACTICES AGAINST APP IMPERSONATION
The best defensive tool against app impersonation will protect user information
as well as your APIs, so you can focus on building better features and growing
your platform.
These tools should integrate into your iOS or Android mobile app by installing
an SDK that interacts with a cloud service which can verify the app’s
authenticity. A short (~5 minute) lifetime token could be passed to your API
backend for instance, to prove that the API request is from a genuine source and
meets all the runtime requirements.
Every transaction should also be checked against a security policy that you
define, providing an end-to-end security process for your app and your APIs.
Dave Stewart is CEO at Approov.
Enjoy additional insights from Threatpost’s Infosec Insiders community
by visiting our microsite
Write a comment
Share this article:
* Cloud Security
* InfoSec Insider
* Malware
* Mobile Security
* Privacy
SUGGESTED ARTICLES
HOW MIKROTIK ROUTERS BECAME A CYBERCRIMINAL TARGET
The powerful devices leveraged by the Meris botnet have weaknesses that make
them easy to exploit, yet complex for organizations to track and secure,
researchers said.
December 9, 2021
MALICIOUS NPM CODE PACKAGES BUILT FOR HIJACKING DISCORD SERVERS
The lurking code-bombs lift Discord tokens from users of any applications that
pulled the packages into their code bases.
December 8, 2021
MOOBOT BOTNET CHEWS UP HIKVISION SURVEILLANCE SYSTEMS
Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet,
researchers warned.
December 8, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
* PANDEMIC-INFLUENCED CAR SHOPPING: JUST USE THE MANUFACTURER API
December 3, 2021
* HOW DECRYPTION OF NETWORK TRAFFIC CAN IMPROVE SECURITY
November 30, 2021
3
* HOW TO DEFEND AGAINST MOBILE APP IMPERSONATION
November 23, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
The flaws, discovered by @SentinelOne, could enable attackers to disable
security and gain kernel-level privileges.… https://t.co/Lz7RlV8MDy
19 hours ago
Follow @threatpost
NEXT 00:01 01:25 360p 720p HD 1080p HD Auto (360p) About Connatix V141915 Closed
Captions About Connatix V141915 1/1 Skip Ad Continue watching This Day in
History after the ad Visit Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE