One interesting impact of the covid-19 crisis is the shift to remote working. It was already gathering pace before the coronavirus arrived. But the lockdown has pushed down on the accelerator pedal.
Several months on, and many people still aren’t back at the office.
Beyond the societal impact of this evolution are some pretty important security implications. Away from the office, employees use untrusted devices that might not carry the latest updates. They might also be use less-secure wifi networks.
This shift to remote work led to Microsoft EMEA chief security advisor Cyril Voisin to say recently that he expected more use of zero trust strategies.
The concept of zero trust might be new to some people. But not to those of us working in mobile security. Because the mobile world has been zero trust for some time now.
It’s a world full of malware. A world of rooted and jailbroken devices. A world of out-of-date operating systems and devices that don't receive updates.
And that helps to explain why assuming you’re operating in a zero trust world is the smartest strategy for businesses with sensitive mobile apps.
The zero trust world
Earlier this year, a Which study revealed that more than a billion Android devices around the world are at risk from attacks by hackers. That’s because those devices are no longer supported by security updates and built-in protection.
The study was a reminder of just how fragmented the mobile landscape is. Particularly for Android. Not that vendors worry too much about this fragmentation. They just want to sell their devices. And so phones and tablets are available to buy that might be affected by malware and other threats.
In an ideal world every Android user would be using the most up-to-date version. But that often isn’t the case.
A single user might have several devices. Their latest Samsung smartphone will most likely run the latest version. But not the tablet they bought seven years ago. And so the apps running on that tablet won’t be covered by Google’s latest protection.
Google themselves announced in May 2019 that more than four in 10 active Android users are running version 6.0 or earlier. Or in other words, devices with protection that’s at least five years old.
Reacting to the Which report, Zak Doffman wrote in Forbes that the lack of consistency in update rollouts makes this fragmentation even worse. There’s a different timetable across - and even within - manufacturers. There’s no such thing as a one size fits all solution.
This is a much more complicated issue for Android than for IOS because there are so many manufacturers and vendors. IOS updates tend to happen without a hitch. A new version arrives and most users have it within a day or two.
One solution mooted by Google has been to have a generic, unified Linux kernel rather than a customized one. But this is tricky because the kernel is the communicator between software and hardware. And different manufacturers have different hardware.
This fragmentation on its own is a pretty good argument for you to take care of the security of your app rather than relying on built-in OS protection.
But there are other compelling reasons, too.
After all, it’s not only the OS that can’t be trusted, but servers and hardware.
In the zero-trust world, people use your app with weak, open wifi connections. People use your app on jailbroken devices. People open their phone up to the risk of hackers getting root with it.
And once they’re root, they can control the device and do whatever they want with it.
An open door for hackers to walk through
These days, mobile apps are crucial to business success. But if they’re not protected properly, then they can attract threats that can destroy a company’s reputation.
Not applying robust protection to your app in a zero-trust world is a huge risk. It’s a bit like asking a friend to look after your home for a couple of weeks when you know he has a habit of not locking the doors at night.
And if there’s one thing hackers love, it’s an unlocked door.
They’re constantly looking for gaps in security. Places they can squeeze through before stealing sensitive information, user pins and passwords.
This is a threat that almost all businesses face - especially those with apps where you can buy something or move money around. Government apps where you can apply for new licenses or passports are also vulnerable.
End users can suffer from the zero trust world as much as businesses can. And some can even make the landscape even more dangerous. Take jailbreaking, for example. Some people are starting to see jailbreaking their device as an attractive option. They might even see it as the only option for them to be able to use their phone with the freedom they’d like.
This is a trend that represents a growing threat for IOS.
You see, Apple are very strict about what can be listed on the App Store. This is largely a smart security measure, of course. But it might be having the effect of driving some users to make their device less safe to get around restrictions. Earlier this year, the first iPhone jailbreak for four years was reported.
Epic Games were also making the news this summer with their plans to sue Apple and Google over their ban from the App Store and Play Store respectively. Their game, Fortnite, is a global hit. But they were having to share 30% of their takings with Apple and Google. As such they’ve been exploring options to offer the game elsewhere.
The only thing is that by doing so, they might be encouraging users to put their devices at risk.
How to make apps safe in any environment
The iPhone jailbreak and Epic Games’ battle with Apple and Google point to a future where the mobile landscape becomes even more fragmented.
And that means in-app protection and threat intelligence will only become more essential.
Assuming your app is running in a zero trust world means that you reclaim responsibility for its security. You’re not relying on measures Apple and Google put in place alone. After all, oftentimes you can’t rely on those measures because not all of your users are covered by them.
So, how can you make apps safe in any environment?
The first step is to equip your app with detection capabilities. These sweep the app’s surroundings (either the device or the server) to find out whether that environment can be trusted or not.
They also spot debuggers and emulators, which are commonly used by bad actors attempting to reverse engineer an app. And they can find out whether the device is jailbroken or rooted.
Integrity checks are important, too. They can detect if an app or device configuration has been changed in any way. Integrity checks can check the entire app, or just a selection of at-risk libraries and calls.
Then there’s encryption and obfuscation. By encrypting and hiding valuable data within the app, you’re adding an extra layer of protection that frustrates hackers attempting an attack.
Finally, we recommend that businesses with sensitive, high-value apps also make use of threat intelligence.
With a threat intelligence and risk analysis system, you can scan the landscape for common threats and can better plan a defensive strategy.
By using a combination of these measures, you're not left hoping that you can rely on outside protection.
You've designed for the things you can’t control as well as the things that you can.
Your app is ready for the zero trust world.
