Q&A: Here’s why securing mobile apps is an essential key to tempering political division

By Byron V. Acohido

Finally, Facebook and Twitter muzzled Donald Trump, preventing him from using his favorite online bully pulpits to spread disinformation. It only took Trump inciting a failed coup d’état that cost five lives.

Related: How a Russian social media app is radicalizing disaffected youth

The action taken by Facebook and Twitter last week was a stark reminder of how digital tools and services can be manipulated by badly motivated parties in insidious ways.

The risks and exposures intrinsic to our favorite digital tools and services runs very deep, indeed. This is something that we’re going to have to address. As the presidential election unfolded in the fall, for example, there were revelations about how mobile apps used by political candidates were rife with security flaws that played right into the hands of propagandists and conspiracy theorists.

Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API exposures, took a close look at the gaping vulnerabilities in mobile app used by the Biden and Trump campaigns, respectively, and came up with a scoring system to rate the security-level of each camp’s main mobile app to reach voters.

On Android, the Official Trump 2020 App ranked nearly three times as secure as the Vote Joe App, for a simplistic reason: the Trump app used the most recent version of Android OS. Newer versions of Android provided more security and privacy benefits.

That said, neither the Biden nor the Trump apps enforced Android’s Verify Apps feature, which scans for potentially harmful Apps on the device. If the Verify Apps feature is turned off, any apps side-loaded onto the user’s device do not get scanned for malware, Doug Dooley, Data Theorem’s chief operating officer, told me.

On the iOS side, both apps produced nearly identical security scores: very poor ones, Dooley says. For example, SSL certificate pinning was not implemented by either app. Pinning is an effective safeguard against the app’s network requests being intercepted by a malicious party on the local network. The larger point is this: effective security mechanisms are available, but they are not yet considered essential.

Similarly, the Vote Joe App failed to enforce HTTPS connections. This meant that an SDK could fetch zipped resources in an unsecure fashion, enabling parties on the local network to intercept them and potentially send a malicious archive to the device.

These mobile app exposures don’t just affect political campaigns, off course. We’re talking here about a profound systemic weakness that runs throughout mobile computing and digital commerce.

Vastly improving the secure development and distribution of mobile apps is something the technology and cybersecurity communities are going to have to address, hopefully sooner rather than later. Here are excerpts from my discussion about this with Dooley, edited for clarity and length:

LW: Can you tell me a bit more about how Data Theorem derived this particular mobile app security score?

Dooley

Dooley: The Data Theorem Analyzer Engine conducts dynamic run-time security analysis that can break down the various software components that make up any mobile application. Elements such as modern software frameworks, SDKs, open-source libraries and their versions are all captured by the Analyzer Engine.

The score is always unique to each application based on all the possible ways an application can be hardened from a security and privacy perspective. The more complex an application is, the higher the likelihood there are more “protection features” that need to be implemented to achieve a higher score. And vice versa, an app with very few components can often require less effort to achieve a higher score.

LW: Is this functionality a standard capability of your core services; or is this something you did as an experiment specifically on certain election apps?

Dooley: This is a standard effort of our Analyzer Engine to look at millions of apps daily on mobile app stores such as Google Play and the Apple App Store.

LW: Which specific election apps did you score?

Dooley: The combination of this upcoming US presidential election combined with number of voters who are using mobile devices for political research and information gathering made it an important time to bring more attention to these specific apps published by the teams for Joe Biden and Donald Trump. We scored the Android and iOS versions of the Official Trump 2020 and Vote Joe apps.

LW: Can you tell me a bit more about how you determined Trump’s Android app to be 3X more secure as Biden’s?

Dooley: Again, just because an App Protection Score is higher, does not mean more effort went into making that app more secure. Sometimes, the simplicity and lack of components like SDKs, Open Source Libraries, and software frameworks make it easier to harden the application.

In the case of Trump’s Android app specifically, it took advantage of using newer and more modern frameworks from the latest versions of Android which helped to raise its protection score above Biden’s Android app.

LW: What’s important to know about Android’s Verify Apps functionality?

Dooley: Google has a variety of proprietary Google Play Services that go beyond open source Android. Verify Apps is a part of Google’s SafetyNet umbrella services. SafetyNet and Verify Apps have continuously evolved and improved as a malware scanner to adapt to the ever-changing threat landscape for mobile apps.

It’s debatable how effective Verify Apps prevents malicious behavior on Android, but most in the security community would argue it is a helpful security guardrail for Android apps that developers should take advantage of when possible.

LW: How does iOS’s SSL Certificate Pinning boost security?

Dooley: TLS or SSL Certificate Pinning is one of the best protections for keeping network traffic private and secure. When implemented properly, the data transmitted from a mobile application over the Internet to back-end services often hosted in the public cloud will prevent a Man-In-The-Middle (MiTM) attack from occurring.

What’s remarkable about SSL Certificate Pinning is that it is increasingly becoming a standard practice with mobile applications, yet it is not possible to implement SSL Certificate Pinning in a Web-based Application loaded on a standard browser.

As a sidenote: Google abandoned their multi-year effort to have SSL Pinning in standard browsers back in late 2017. We often say for anyone transferring money, reviewing medical tests, or looking at political voting histories, it is often safer to do it on a mobile app than a laptop browser. However, if the mobile app does not implement SSL Certificate Pinning, the communication can be eavesdropped as it travels across the network.

LW: Why is enforcing HTTPS connections important?

Dooley: Since most mobile application traffic travels across the public Internet, there are almost no good reasons to allow data to travel without encryption. Sadly, there are apps that still send traffic via the HTTP protocol instead of the encrypted equivalent HTTPS protocol.

Both Apple and Google are taking tougher stances against any application built on their mobile platforms that makes data easy to read by unauthorized third parties. HTTP app traffic is like having a front door without locks and left wide open for anyone to peek in.

LW: What’s  the general state of app vulnerabilities vs. best practices being used by app developers to mitigate known risks?

Dooley: The majority of published applications do not comply with even half of the security best practices outlined by the major platform providers – Apple and Google. Furthermore, very few industries realize that they can use “security features” to differentiate their mobile applications to be superior to their competitors.

We’re trying to bring more attention to companies who have gone out of their way to make security hardening a priority when publishing mobile apps for their users and customers. That said, we are seeing a big push in this area by the financial services, healthcare, and technology industries to make a concerted effort to improve the state of security and data privacy in their mobile applications and API services. We hope in a few years these app protection scores will improve as DevSecOps becomes a common practice.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone