MOBILE APP AND SECURITY THREATS

Mobile applications no doubt, are one of the fastest growing application software in the 21^st century, owing to the sophistication of internet enabled mobile phones and tablets in the world today. To this end, institutions, enterprises and organizations are developing mobile apps in order to reach their target audience or sell their goods and services faster and easier.   Some mobile apps are developed without going through the appropriate procedures i.e applying security  measures during development of the mobile app; hence they are easily hijacked by criminals or vulnerable to all sorts of virus. There aren't any policies or standards policing mobile application development so security flaws are often overlooked when developers don't take the time to review their product. The rush to release approach as the leading source of mobile application threats and vulnerabilities. When an app's development is rushed, it's typically due to customer demand and developer impatience. Implementing security checks and controls for mobile apps can add an average of six weeks to the application development process, and it can take even longer depending on what is found.

Most users may often assume that the mobile apps they download are safe, more than 50% of developers surveyed in a new report admitted to using "shortcuts or temporary solutions" to produce their app faster. The survey showed that nearly 300 mobile app developers and more than 400 consumers illustrated a lack of focus on security during the development process. That lack of focus, along with development shortcuts and common coding errors are creating so many mobile application threats that expert believes, enterprises and users should simply behave as if their devices have already been hacked.

According to the survey, 79% of developers agreed that mobile apps have become a target for cybercrime because of security flaws, and 74% of developers believed that most enterprise mobile apps are "moderately vulnerable" to mobile application threats. Perhaps even more troubling: 96% of developers admitted to using third-party software frameworks that were potentially unsecure.

By rushing their products to the market, experts said, these apps are not secure or ready for public consumption. In addition to a lack of basic security controls and privacy policies, many mobile apps contain glaring mistakes that make them vulnerable to attacks. For example, Kostka, an expert in cyber security, and CEO of Bluebox Security, said two of the more common errors developers often make are exposing the API keys in their apps or leaving their developer menus behind in the code.

Kostka said BYOD security is an issue for all devices and operating systems, and enterprises shouldn't put faith in the OS to protect their data. "We're seeing so many more attacks on iOS devices because it's the most popular platform for enterprises," she said. "You can't just trust the OS. Apple has done a lot of good things with security, but it's not 100% secure. And people think an iOS device has to be jailbroken to be at risk, but that's not true."

All of this adds up to major problems for companies, especially those who have BYOD policies, Kostka said. Using employee-owned mobile devices in the workplace is generally encouraged; however, this means companies have to educate employees about mobile application threats and proper security hygiene. If employees are careless or have insecure mobile apps on their devices, their employer can potentially suffer a breach or theft of sensitive data. Since companies don't have complete control of employees using their own devices for work, company data is at risk.

Bluebox Security which will be available in December is addressing these issues with a new software product called Bluebox for Consumer Apps, which is designed to improve BYOD defenses. The mobile security startup already offers protection for enterprise iOS and Android apps, but Bluebox for Consumer Apps focuses on the non-enterprise applications that often reside on BYOD devices in the enterprise and transforms them into "self-defending apps." Any application available in the Apple App Store or Google Play Store can be uploaded to Bluebox for Consumer Apps, which then applies an application wrapper to the mobile app. The wrapper provides encryption for data at rest, enterprise security policies, anti-tampering measures, mobile threat intelligence and other capabilities. BlueBox said the application wrapping process is simple and requires just a single click, which won't add additional time to the application development cycle. "Time to market is crucial for mobile app developers," she said. "Your app could become irrelevant during that six weeks."

Kostka said most enterprises know that mobile app development falls short on security, but they're not taking enough action to properly protect those apps. "Companies have underinvested in mobile security in a rush to become mobile first, and now the bill is due," she said. "With mobile threats being discovered almost daily, and enterprises losing control over consumer devices, it's only a matter of time before a mobile hack is the root of the next major breach."

DMARC POLICY TO HAMPER FRAUDULENT EMAILS

Cyber fraudsters are devising various ways of launching attack on unsuspecting victims. This time they are forging email header and even mimicking one’s contact to look as if such a mail is coming from your contacts. They have already phish(disguising as an official mail) Yahoo mail, Google mail and other free email providers. This has been a source of worry to these free email service providers as many users lose access to their accounts including other intrinsic damages to the users.  

In cutting the excesses of these fraudsters, Google has announced recently that it is transitioning to the strictest setting of the anti-phishing and spam tool “DMARC” (Domain-based Message Authentication, Reporting, and Conformance), stating the transition to a DMARC policy of "reject" would occur in June 2016. DMARC's anti-phishing and anti-spam functions work by authenticating messages with their sources, so that email with parody headers would be rejected. DMARC policy settings range from "none", used as an initial gateway into the protocol, meaning that no actions are taken regarding delivery of the messages flagged, though they may be reported. Under the intermediate "quarantine" policy, the mail receiver reports messages that fail to authenticate as suspicious and place them in a spam folder or flags them for further examination. Google is transitioning to the strictest setting, "p=reject", which means the recipient rejects any messages that fail to authenticate. 

DMARC depends on two older tools for authenticating messages as having originated from the domain in the From: header of the message: the Domain Keys Identified Mail (DKIM), which makes it possible to cryptographically authenticate that a message originated from the From: address in the message header; and the Sender Policy Framework (SPF), which gives large mailbox providers a way for recipients to determine whether or not a host that has forwarded mail is authorized to do so.

Yahoo and AOL moved to the strictest DMARC policy setting in April 2014, and also recently Yahoo announced they would transition its Rocketmail and Ymail services to that policy starting this November 2015. When AOL followed Yahoo's move to the stricter policy last year, there were some glitches in the transition. Some legitimate senders, such as email distribution list services and websites that forward messages on behalf of their users, were having messages flagged and rejected, but the relatively simple fixes mostly involved making sure that messages were not sent with forged headers indicating inaccurate message sourcing.

This proposed policy Google is about to adopt will make it very difficult for spammers and hackers to mimic an organization or individual headers in their nefarious act. It also avail the recipient the opportunity to report suspicious mail for further action by Google. It was reported that some hackers who used email parody to forge emails and launch attacks in the pretence that such mail is coming from Yahoo account were almost apprehended.  

PREVENTIVE MEASURES AGAINST CYBER ATTACKS AND THREATS

 

It is no longer news that the world is going into digitalization with the advancement of technology. Cyber threats and attacks are now on the increase. These criminals have become more aggressive, more sophisticated, determined and more ruthless than ever in their attempts to exploit the internet confraternity for ill gains, which in the long run will backfire because he who kills by the gun will surely die by the gun.

There is, however, plenty that individuals and organizations can do to monitor and limit attackers’ impact. When it comes to businesses and their websites, adequate security measures and implementations are all that counts in avoiding total financial and reputational ruin.

Protect Yourself

Use the latest Internet security program for maximum protection against malicious code and threats. The program should have capabilities that includes: ­

­

Antivirus and behavioral malware prevention that prevent unknown malicious threats from blowing off and causing harm on your computer;

­

Bi-directional firewalls that will block malware from exploiting potentially vulnerable applications and services running on your computer;

­

­Browser protection to protect against obfuscated web-based  attacks. 

­

Use reputation-based tools that check the reputation and trust of a file and website before downloading, and that check URL (web address) reputations and provide safety ratings for websites found through search engines;

Update the System Regularly

Keep your system, programs, and virus definitions up-to-date and always accept updates requested by the merchant (owner of the program) for download and install the update (you can set it at “automatically download and install updates”). Running out-of-date versions of any program or software can put you at risk from being exploited by cyber criminals. 

Only download updates from merchant sites directly to prevent malicious software or program download. Select automatic updates wherever possible on your computer. Be suspicious of warnings that pop-up on your browser or system asking you to install media players, document viewers, security updates, etc.

Be Wary of Scareware Tactics

Versions of software that claim to be free, cracked or pirated

can expose you to malware, or social engineering attacks that

attempt to trick you into thinking your computer is infected and

getting you to pay money to have it removed. Or offer to fix your computer by downloading the software or giving some sensitive information about you or your computer. Be wary of these tactics.

Use an Effective Password Policy

Password is the front door against attackers, so if your door is not well mounted and strong, it can be broken into. Ensure that your passwords are a mix of letters (uppercase and lowercase), numbers and symbols, and change them often, most especially when you suspect an unusual activity on your account. Passwords should not consist of words from the dictionary. It should not be something you share often with friends, or words that can easily be guess.  Do not use the same password for multiple applications or websites.

Think Before You Click

Never view, open, or copy email attachments to your desktop or

execute any email attachment unless you expect it and trust the

sender or source. Even when receiving email attachments from trusted users, be suspicious. And never you download or click on any link on an email you receive bearing “undisclosed recipient” in the recipient column. It might be a time bomb waiting to be detonated on your system. 

­

Be cautious when clicking on URLs in emails or social media

Communications like post, comment, and what have you, even when coming from trusted sources and friends. Check very well before you click. Do not blindly click on shortened URLs, e.g http://bitly.a2-zwa14.com  without expanding them first using a preview tool or plug-in.

­

Use a web browser plug-in or URL reputation site that shows the reputation and safety rating of websites before visiting. Be wary of search engine results; only click through to trusted sources when conducting researches, especially on topics that are hot in the media.

­

Guard Your Personal Data

Limit the amount of personal information and files you make publicly available on public domain (in particular via social networks). This includes personal and financial information, such as bank logins, birth dates or any data that might render you vulnerable to attacks.

­

Review your bank, credit card, and credit information frequently for irregular activity. Avoid banking or shopping online from public computers (such as libraries, Internet cafes, and similar establishments) or from unencrypted Wi-Fi connections. Be watchful of the people around you when in a public cyber café, make sure they are not snooping on what you are doing on the computer.

­

Use HTTPS (not www) when connecting via public Wi-Fi networks to your email, social media and sharing websites. Check the settings and preferences of the applications and websites you are using. Look for the green browser address bar, HTTPS, and recognizable trust marks when you visit websites where you log in or share any personal information. The green colour web address indicates that the connections is encrypted and secure, and look out for a padlock bar icon on any website you are making transactions to be sure that the connection is safe and secure. See image below.

Configure your home Wi-Fi network for strong authentication and always require a unique password for access to it.