You are here

App attacks: How to stay a step ahead on this new frontier for hackers

public://pictures/Ron_Arden.JPG
Ron Arden, Vice President, Fasoo USA

While recently cleaning up its iOS App Store to remove malicious iPhone and iPad programs, Apple identified the first large-scale app attacks on the mobile software outlet. Apparently the source of the problem was a bogus Xcode development kit that developers downloaded from a Chinese site.

Many app and Mac developers use the Apple Xcode tools to develop iOS and OS X applications. The hackers convinced developers to use its version of the Xcode tools rather than Apple's official software. One theory is that Apple's servers are slow to download from inside China, so developers used this alternative mirror download for convenience and speed. This is fairly common for downloading software, but the developers were unaware that the tools were fake.

Cyber attacks typically target network weaknesses, causing organizations to protect themselves with firewalls, data loss prevention measures, intrusion prevention systems, and similar tools, but more recent attacks have targeted weaknesses in the software that organizations develop and use. It's difficult to stop malware-related attacks after software has been developed.

Hackers are realizing that if they can get a developer to embed malicious code into an application, it's easier to carry out app attacks. If the malicious code is in an app that might be downloaded by millions of users, the potential for damage is considerable.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Defensive measures

The attack on Apple's iOS App Store by rogue code embedded in apps could've been prevented by using a semantic-based static analysis tool. These cyber attacks target weaknesses in software, and these tools let you virtually eliminate them by quickly detecting all security vulnerabilities in the source code. An accurate analysis is useless if it doesn't deliver a reliable and swift solution. These bugs need to be stopped in real time.

Even with millions of lines of code to analyze, these tools can shorten analysis to one hour. Semantic-based static analysis tools evaluate all execution paths of the program to locate bugs, violations on coding conventions, security holes, runtime errors, and more at the early stages of software development. They can check the quality of code and detect security vulnerabilities in C, C++, Java, HTML, and SQL, among other programming languages. A few examples of security checks include memory leaks, hard-coded passwords, buffer overflow, cross-site scripting, information leakage, TOCTOU (time of check time of use) race condition, and SQL injection.

An integrated, web-based management system allows a developer to upload code to test or connect to an existing IDE for analysis. The robust analysis engine will analyze program execution flow and meaning, identify software vulnerabilities, and remediate code using automated code suggestions. An efficient alarm system provides a detailed explanation of error types, paths, functions, and the locations and causes of alarms. This simplifies the process of software development and enables numerous people to work on one or more projects simultaneously.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

App attacks: The next frontier for hackers

As businesses and consumers rely more heavily on apps, which store both personal and corporate information, they become a more attractive, data-rich target for hackers. For this reason, software vulnerabilities in apps are the next frontier for hackers and anyone intent on stealing information. Stopping the malware and other bugs before the apps are compiled and distributed is the best way to stop these attacks, and a semantic-based source code tool is an efficient way to do so.

[ Find out how to take control of credentials privilege in your organization in this Webinar. You'll learn best practices, more. ]