Security Engineering Principles for Mobile Apps

When we look back on this era, we might observe that the road to security nightmares was paved with convenience. In an understandable drive to make our lives easier, we are now succeeding at exposing ourselves to greater risk. Mobile apps for cars provide just one example of this phenomenon. Many cars now offer a mobile app for remote unlocking, remote starting and more. The problem is these apps make life convenient for car thieves as well.

The architecture of mobile car apps creates some of the vulnerability. For instance, the app does not connect directly with the car in most cases. It typically sends a message to a cloud-based server, which then sends instructions to the car through a cellular connection. The convenience here is to allow the car owner to activate the car even while out of range of the device’s Bluetooth. The vulnerability is that a malicious actor can take over the app and unlock the car without the owner knowing it.

Asaf Ashkenazi, VP of Product Strategy at Inside Secure

“Even if cloud service is secure, you can still hack the device,” explained Asaf Ashkenazi, VP of Product Strategy at Inside Secure. He added, “Once car has authenticated cloud, it’s not usually designed to authenticate the device. You can attack the app on the phone and fool the cloud.” He also explained that reverse engineering or stolen credentials could achieve the same objective for the hacker.

While cars provide an understandable example, the risk is actually much broader in scope. The entire Internet of Things (IoT) suffers from similar vulnerabilities. One solution, according to Ashkenazi, is to apply security engineering principles at the app level. This is the Inside Secure approach. The idea is to protect the app itself, independent from the device’s operating system.

“If you’re depending on the OS for security, you may be exposing yourself to risk,” he noted. “Though smart phones are relatively safe now, if you’re paying attention, you’ll see that the race is on to crack mobile devices far worse than they’ve been to date.”

Inside Secure offers developers a toolset that enables them to embed protections into the app code itself. The company, which has been in business for 20 years, has its technology inside many banking apps and network routers.

Photo Credit: Thomas Hawk Flickr via Compfight cc