Mobile apps create a unique opportunity for organizations like government agencies to interact with their users and provide streamlined solutions ranged from e-ID’s and healthcare apps to tax services apps. These e-Government (eGov) apps can contain a great deal of sensitive information that needs to be kept safe. When governments fail to implement proper security for their apps, it opens the app to be easily manipulated by malware or reverse-engineered by bad actors, potentially leading to account takeovers, data leakage, and fraud.
The rise in popularity of eGov apps in Asia and their rapidly increasing number of users has prompted Promon AG (a Norwegian app security company), a technology partner of i-Sprint, to analyze 12 of the top Android and iOS mobile eGov apps in the Asia-Pacific (APAC) region to assess any major vulnerabilities and weak spots.
The Promon’s assessment found that the majority of the eGov apps had few security mechanisms in place, and some were not protected at all. The key findings were as follows:
About 60% of the Tested Apps Leak Sensitive Data. Typically, eGov apps are designed to track sensitive data, including personally identifiable information (PII). This data is often cached before being uploaded to official channels for tracking purposes etc. It was found that it can be possible to scrape this data from a device. In some cases, this data is conveniently stored in well-formatted, but more importantly, unencrypted, SQL databases showing when and where a user had been located. Even in cases where PII is stored in an encrypted form, the storage mediums can be reverse engineered because of the lack of security. Encryption keys can be extracted easily through hooking techniques and, in some cases, were even present in the app code base itself.
The reputational damage resulting from a data breach can be devastating. News travels fast, and organizations can become a global news story within a matter of hours of a breach being disclosed. Ultimately this propagates a loss in user trust and can cause irreparable damage to the parties involved.
With GDPR beginning to permeate worldwide, a very large microscope has formed to govern the implementation of data privacy laws and large organizational fines for data breaches.
More than 80% of the apps could be repackaged, injected with malware, and redistributed. 10 of the 12 apps analyzed did not have the security in place that would protect against repackaging. In this case, the app can be highly compromised, and an attacker can easily modify it. With the lack of proper security, bad actors can download a copy of the eGov app from the official distribution platforms (Google Play or App Store) and modify or add malware without the app noticing such changes or foreign elements. They can then redistribute this fake modified version of the app on official distribution platforms or other websites. Users will download the app believing they are getting the original eGov app. One direct consequence could be that attackers scrape users’ log-in credentials to access accounts and personal information and steal sensitive data.
60% of the tested apps had no malware protection in place. Malware often exploits vulnerabilities and misuses the operating system features to gain access and steal users’ data and credentials. The analysis found that none of the eGov apps tested had a sufficient level of malware protection in place, and 60% of them had no malware protection. This would put their users’ data at risk. Android’s Accessibility Services provides apps with access to device settings and other programs, which is crucial for aiding users with disabilities in using their devices. However, it is also a common gateway for malware. By exploiting the Accessibility Services, malware can read the screen and log user inputs to extract sensitive data, such as personally identifiable information, passwords, and other credentials from apps.
50% of apps did not even use basic protection techniques such as code obfuscation. Code obfuscation, which is considered a basic method for protection, makes the source code of an app challenging to read and comprehend. It is a technique used to prevent attackers from reverse engineering an app’s code and can also do the job of, for example, developing targeted malware more time-consuming for an attacker. By not using code obfuscation, the app code is exposed to malicious actors.
More than 65% of the tested apps were not detecting if an attacker was analyzing the app at runtime using basic and widely used analytic tools. Attacks against mobile apps often start with an emulator for the mobile operating system, where the targeted app will be run and analyzed. With an emulator, an attacker can reverse engineer the app code, attach a debugger, tamper with the app, etc. Based on the analysis, 4 out of 12 tested apps had such detection mechanisms in place.
75% of the apps cannot notice whether it is being used in a hostile environment in which the basic security architectures of Android have been broken (e.g. a rooted phone). A rooted device is much more at risk of being compromised, and therefore it is important to know about it. Detecting whether the device is running in a safe environment is essential for further security measures.
Conclusions
Arguably, all apps that hold sensitive information of their users are responsible for ensuring that this information is kept safe. The analysis of the selected apps in the eGov space in the APAC region shows that most have not implemented security mechanisms as recommended, for example, in the standards of Open Web Application Security Project (OWASP). Consequently, the likelihood of data leaking or being manipulated is much higher when compared to an app that adheres to such standards.
Lacking resilience against commonly used attack tools and methods means that it requires very little technical skill or effort on the part of a bad actor for data to leak. Naturally, this increases the likelihood of such attacks, and because much of the data handled is sensitive, it will potentially have a significant impact on people if stolen. To lower the risk of these vulnerabilities being identified and ultimately exploited, governments must adopt a comprehensive approach to app security – including App Shielding, strong encryption/data protection, and ensure their developers receive adequate secure programming training and implement security in the software development life cycle when writing the app code.
Recommendations
Do a vulnerability penetration testing for your mobile app. i-Sprint is providing complementary checking till end October 2021. For interested company, please click here to register.
App Shielding Solution
• YESsafe AppProtect+ Information
• YESsafe AppProtect+ Video
For enquiry, please email enquiry@i-sprint.com.
Be Proactive | Be Safe | Secure Your App with AppProtect+