The Golden Age of Black Hats

The Golden Age of Black Hats

A customer visit

I recently visited a customer’s industrial site. It was a huge warehouse with extensive value-added operations that included repackaging, rebranding, and spare parts among other things. The lead developer and I prepared for delivery of a mobile application that would support an existing process inside the warehouse.

Such warehouses usually have strict physical security requirements for admission. It includes getting securing an official authorization for admission, showing your bags, and adhering to a long checklist of DOs and DONTs. Once inside, your movement is further constrained by safety regulations and other rules protecting the valuable on-site assets since small incidents can disrupt plant production leading to incur significant costs for operators.

During my tour I saw all the physical procedures, various types of equipment checks, inventorization, and firmware upgrading stations that our new mobile application should support. We later sat at the desk and began discussing app features, such as the layout of each screen to be used by warehouse crew and the form fields that need to be there in addition to integrations with existing backend systems. I was positively surprised that the customer personally raised the question about information security for his mobile app. He commented that the app would communicate with the company’s servers over the Internet hence transmitted data could be eavesdropped and tampered.

A revelation

After we left the site and underwent several exit procedures with the site security officer, the lead developer turned to me and said that he didn’t understand why information security was important. I was completely stunned. “This is not a banking application,” he said. From his perspective, the data is not important in any way therefore "nobody is interested in them," and no special effort was needed to build the application in a secure way. He also said that he didn’t understand why there were such strict physical security requirements site.

When I finally recovered from my astonishment, I asked him why he thought we needed security only for banking apps and not others. He was unable to respond at first but later told me that the difference was probably about the money. Wow! I realized that I had experienced a precious moment discovering a psychological root which resulted in the state of weak mobile application security we have today. This kind of thinking is what causes a large number of breaches in mobile applications like those we’ve observed in the recent past and can foresee in the coming future.

Welcome to the golden age of the black hats

We’re talking about a lead developer who plays a very important role in the life cycle of an app. Yet, he makes a decision for his customer based on the belief that "It is not about money, thus we should not bother with security." The apps that he will develop will have a higher risk of being hacked and make a huge impact on his customers and end users. In this case, such risk will put the operational site in danger with its data center operating the backend of this mobile application together with the people associated with the operational cycle of the proposed application.

Do you put a lock on your front door?

Think about your house. You put a lock on the front door, not on your wallet. Of course you don't want someone to enter your house and steal your money, but you also want to prevent thieves from stealing your furniture and other possessions. You definitely don't want strangers to use your sofa when you are out. You implicitly expect that the architects and engineers who built your house had provided these fairly basic levels of security.

Unlike personal and physical security, cyber security (regarding networks, computers, applications) is more abstract thus harder for users to observe and take seriously. We take extreme care to protect our homes and feel some pain losing physical items. However we don’t mind doing major transactions on unsecure apps and risk losing much more than the value of the transaction. Mobile applications are not physical objects therefore 'unusual activities' are difficult or even impossible to be observed by the common user.

Why build secured mobile app at all?

Mobile app developers should not predict what kind of attacks will happen to their mobile applications. It is impossible to "outsmart" black hats — not because they are smarter but because they come from the future if I can put it that way. Hackers use attack vectors that are extremely sophisticated and unorthodox, many of which are automated, making it easier for them to devise attacks. One needs to have active control of their mobile application administrator functions as a tool to detect malicious communication. Finally, another way mobile operators and administrators can deal with attacks is in real-time while it is happening.

A mobile application can be exploited in many ways not only to steal data but also to tamper with its underlying functionality to interrupt business processes. Such an exploited mobile application backend can serve as a bridge into the data center to perform attacks on others applications that run from the same central location or network. A mobile app can be configured as a member of an illegal botnet that executes DDoS against others or participate in larger scale attacks. The ultimate responsibility lies in the hands of developers because only they can implement high levels of information security into mobile applications to protect their users against the dangerous world of today's Internet.

Until mobile application developers realize the severity of cyber security attacks and do something about it, we will continue living in the golden age of black hats.

~ Ales Teska

About the Author

Ales Teska

TeskaLabs’ founder and CEO, Ales Teska, is a driven innovator who proactively builds things and comes up with solutions to solve practical IT problems.




You Might Be Interested in Reading These Articles

Better Late Than Never - WhatsApp Is Using End-to-End Encryption – Finally!

Can you imagine leaving your house without locking the main door while you are out? I guess not. Locking the door is a routine that we're doing automatically, so why there is so much noise about the latest update from WhatsApp that seems like the company has just reinvented communication encryption?

Continue reading ...

security

Published on April 07, 2016

OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2 (CVE-2016-0800)

DROWN is caused by legacy OpenSSL SSLv2 protocol, known to have many deficiencies. Security experts have recommended to turn it off, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.

Continue reading ...

security bulletin blog

Published on April 12, 2016

80% of Androids Are Vulnerable to Linux TCP Flaw. But I Don’t Care!

Researchers from the University of California, Riverside, and the U.S. Army Research Laboratory have found an off-path TCP vulnerability [1] that affects more than 80% of Android mobile devices. Unlike a Man-in-The-Middle attack, you don't need to be in the middle of the communication to get hacked - all attackers need to know is who you communicate with.

Continue reading ...

android security

Published on October 11, 2016