The first ATM cyber-heist in Taiwan's financial history led to more than 80 million NTD being stolen in just five days. An IT security crisis is now upon us. This was the first large-scale financial hacker attack in Taiwan but it won't be the last. iForensics, an established name in the IT forensics industry, sampled the mobile banking apps provided by Taiwan's top 20 banks by capital on Google Play and found that more than 80% of them fell into the "high risk" (Note 1) category for app IT security. Hackers can reach across international borders. How programmers can buld walls to guard against constantly evolving international cyber threats is now a matter of great urgency.
Faced with such IT security threats, how can app developers ensure that the app they publish is secure? How can they protect their company's reputation, interests and users' rights? The following points must be considered:
1. Prevention of reverse-engineering
Can the source code be decompiled? Hackers can decipher the code to expose vulnerabilities for attack. Developers generally use obfuscated code but this only increases the difficulty of reverse-engineering and does not actually prevent it. Obfuscated code therefore does not guarantee the security of the source code in situations requiring a high level of security. Excessive obfuscation can also make the code impossible for the developer to debug.
The best way is to hollow out the program code so that the raw source code cannot be viewed nor any code added or removed. This does not make it unrecognizable to the developer either.
2. Risk of function calls in debug log
Developers often use debug log functions during debugging. This output debugging information that helps programmers hunt down bugs. When debug log functions are used however the output information should not pose an IT security threat. Outputs that involve sensitive data should be disabled in the official or release version.
3. Encryption of data storage
Users often enter their personal details or other sensitive data while using apps. Such information is usually stored on the mobile phone. If the stored data is not encrypted then they can be stolen by malware and compromised. Apart from encrypting, device binding can also be used to ensure that data stored on the mobile phone can only be used on certain devices and cannot be copied for use on other devices. This keeps the risk of data being compromised to a minimum.
4. Certificate pinning
When the app connects to the server over a HTTPS encrypted connection, it should check the server certificate and use STRICT-HOSTNAME-VERIFIER to verify the host name to ensure that the connected server is a legitimate target server. This prevents the app from connecting to a fake servers set up by hackers to steal sensitive data such as account and password upon connection.
Apart from the four points above, apps should also undergo thorough vulnerability scans before listing. These include: "dynamic code injection", "digital certificate theft", "APK modification/re-packaging", and "remote execution of WebView code." These are necessary to keep the IT security risk of the published app to a minimum. Digicentre provides an app security test service to customers wishing to know if their app is safe. The comprehensive report covers 20 items and apps submitted in a morning will receive their report in the afternoon. The report will also include the counter-measures for each type of threat in order to provide the most comprehensive protection service. Please write to firstname.lastname@example.org and one of our representatives will get into touch with you.