Kenny Hui is a partner in the risk and controls assurance practice at PwC China. Billy Graham is a mobile security specialist with the firm
China boasts a population of more than 400 million mobile internet users, a number set to grow with ever-rising demand for smartphones. To capitalize on this trend, many Chinese businesses are developing mobile applications in order to better engage their customers. For example, in 2012, several commercial Chinese banks partnered with telecom operators and third-party payment service providers to develop mobile phone payment apps, often called “mobile wallets,” to more easily allow their customers to make purchases using their phones.
But while these apps offer Chinese businesses a great way to engage their customers and employees, this high level of access and interactivity comes at a price. When Chinese customers use mobile apps, they often share personally identifiable information, which could include their identity card number, name, home address, mobile phone number or bank account details. Employees, on the other hand, sometimes use their personal mobile devices to access corporate data and intellectual property inside and outside their traditional corporate workspace.
According to a recent PwC survey, 88% of consumers globally use their mobile device for both personal and work purposes. As a result, mobile apps have become a prime target for hackers looking for valuable information that they can exploit.
While Chinese companies understand the benefits of mobile apps, many are still not adequately prepared for the evolving threat of mobile hacking and should be doing more to protect themselves. While China does have some data privacy regulations that govern the collection and use of personal information, the threats to mobile apps evolve quickly, so complying with regulations may not be fully adequate.
Businesses in China and abroad have started to realize that mobile app security, and information security more broadly, are global concerns, regardless of where customers or employees are based. As Chinese apps gain popularity and attract users from around the globe, the need for information security becomes more important and also more challenging. As such, when determining the level of security needed for a mobile app, businesses in China must consider the sensitivity of the data that they are trying to protect and appropriately invest in mobile app security.
Based on the mobile security-related work PwC does globally, the three key security considerations that Chinese businesses must address when developing an app are identifying the user, protecting data and recognizing vulnerability to reverse engineering of apps.
Protecting your vitals
How does the app verify the identity of the person using it? If identification happens at the app (not the device) level, is it centrally managed? These questions should be top of mind when considering how users will be identified and allowed to access apps.
Traditional approaches such as username and password do not always fit well into a mobile context. Therefore, in some cases where the enterprise requires more than a device passcode, new and innovative techniques can be employed in order to balance the ease of use and protection of sensitive information.
These new approaches should still rely on three foundational concepts to identify a user: namely something you are, something you have or something you know. This may include biometrics, a physical or virtual token, or a password.
Data protection considerations generally fall into two categories – data in storage and data in transit. Sensitive data in storage is normally encrypted. Encrypted data is generally safe, as it can only be accessed with a “key.” However, the risk here is that the encryption key is stored or saved in an easily accessible location (on the mobile device).
In one recent instance, hackers were able to find and exploit a vulnerability within an app developed by a major Chinese enterprise. The app stored customer passwords in plain text on the mobile device. The hackers were able to exploit this vulnerability and use the passwords to sign into the app and gain access to the protected personal information stored within. As a result, these hackers were able to make transactions using the identity and account details of these customers.
Data in transit refers to protecting data as it moves between the mobile app and company servers. When implemented correctly, encryption is effective for protecting data in transit from being intercepted. Very sensitive or critical data should also be protected in memory.
Avenue of attack
Hackers often attack apps through reverse engineering, which entails taking an app downloaded to a mobile device and decoding it to view its contents. Attackers often use this to derive assembly code, which they can analyze to determine the app’s behavior, and in some cases, change the behavior of the app to do things that were never intended.
One notable instance of this happening in China was in the form of a Trojan, malware that appears on the surface to be innocuous. The Trojan was embedded in several reputable apps that users would install on their mobile devices, after which the Trojan would use their account details to make a series of transactions, including downloading paid apps and activating other paid-for, on-demand services.
A company must keep in mind that an attacker with access to an app can eventually circumvent its security controls and safeguards with enough time. Whenever a firm is considering launching an app, it must weigh the sensitivity of the data involved if it were leaked against the cost of defensive coding implementation.
To better improve the security of their mobile apps, businesses in China should focus on a few key areas. First, companies should think through motivation and arguments for developing the app from a business perspective and then clearly articulate the case for security controls and safeguards. Second, if companies are planning to develop more than one mobile application, they should examine the controls and safeguards needed across each of their apps to identify security patterns. These two steps will make it easier to identify common patterns and build robust and flexible security solutions for an array of use cases. Last, companies can develop a roadmap to address current security gaps to help keep security aligned to the business and allow security to evolve as technologies and business initiatives evolve.
Mobile apps have the potential to help usher in new ways of doing business, but security cannot be taken lightly. As companies begin to push the boundaries of what can be done on mobile apps, security organizations will need to keep up. The time to get ahead of the curve on security is now.