The IT Nerd

Approov, the end-to-end mobile app security provider, today named Pearce Erensel vice president of sales, reporting to Approov’s CEO Ted Miracco.

Erensel will have responsibility for Approov’s global sales and support. His focus will be on increasing Approov’s footprint in the mobile app security market by leading a professional sales and business development organization and driving customer-facing processes.

Pearce Erensel is an experienced sales and business development executive noted for meeting or exceeding revenue targets. Most recently, he was employed by Zimperium in its London office after serving as an account executive for whiteCryption, a company acquired by Zimperium. At Zimperium, he was a product expert for its mobile app protection suite working alongside EMEA account executives and training application engineers. At Intertrust Technologies Corporation, a software technology company specializing in trusted distributed computing, Erensel worked as a business development manager and account executive. He began his career in New York City working as a corporate sales trainer for advertising services firm First Reaction Inc.

Erensel is a graduate of Dickinson College in Pennsylvania with a Bachelor of Arts degree in Environmental Studies. He holds a Master of Arts degree in Global Policy from the University of Maine School of Policy and International Affairs (SPIA) in Orono, Maine.

Ninety two percent of the most popular banking and financial services apps on the Google Play Store contain easy-to-extract secrets (such as API keys), which could be used by cyber attackers in scripts and bots to steal data, devastating consumers and the institutions they trust.

The study “Mobile App Security Report – Exposing the Security Vulnerabilities of Top Finance Apps” summarizes the work of the Approov Mobile Threat Lab. The team downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany, investigating a total of 650 unique apps. 

Only 5% of the apps examined had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime.

Other findings: 

• None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
• Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none with such protections were in the U.S.
• In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. 
• Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned. 
• 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
• For Man-in-the-Device attacks, traditional banks’ mobile apps are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.   

The report can be found here.

UPDATE: Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc. had this comment:

    “Cloud security is always constant battle between convenient access and secure access. In the examples of the reports, the wide majority of the applications contained “pre-baked” API keys that provided access to certain “secured” public services just by the presence of the API key. Once compromised, the security of the API is completely out the window. 

   “API keys for accessing *any* public service should not last indefinitely and they should never come directly with a mobile or enterprise application install. The most secure way is requiring that the API keys be received after proper authentication (and most likely Multi Factor Authentication, MFA). In today’s day and age, MFA is not difficult to set up and while it isn’t perfect, it provides meaningful resistance to most hackers and malicious actors looking for low hanging fruit. 

   “Once the API key is obtained, accessing the service is still a potential waving flag for malicious actors. The transport mechanisms and source/destination addresses can become immediate targets. 

   “That’s why stealth networking and solutions can be truly innovative. Obfuscating and encrypting and protecting data in transit can provide the enhanced security from mobile endpoint all the way to cloud. Additionally, with a stealth networking solution, the ability for a malicious actor to set up a MITM attack is severely hindered. By removing “known” open endpoints, malicious actors can’t easily setup the MITM to try to intercept and capture/modify packets.”

Approov and Osterman Research today issued “The State of Mobile App Security in 2022”. Key findings include:

• 75% of companies say mobile apps are now “essential” or “absolutely core” to their success, up from 25% two years ago.
• 75% Would Face Substantial Consequences from a Successful Attack on Their Mobile App: An attack against APIs that rendered a mobile app non-functional would have a significant effect on 45 percent of businesses and a major impact on an additional 30 percent.
• 78% Have Low Confidence in Mitigation Against Specific Threats: Seventy-eight percent of respondents are not highly confident that their organizations have the appropriate level of security defenses and protections in place to protect against specific threats posed by mobile apps.
• Poor Visibility into Security Threats Against Mobile Apps:
  • 60% lack visibility into credit fraud attempts
  • 59 % lack visibility into the creation of fake accounts
  • 56% lack visibility into data stolen from PIs by scripts
  • 54 % cannot detect the use of stolen API keys being used to mimic genuine requests
  • 53% percent lack visibility into credential stuffing attacks
  • 51% lack visibility into secrets exposed on mobile platforms,
  • 50 % cannot detect access by cloned, fake or tampered apps.

• Third-Party APIs Create Pathways for Threat Actors:
  • On average, mobile apps depend on more than 30 third-party APIs, and half of the mobile developers surveyed are still storing API keys in the app code – a massive attack surface for bad actors to exploit.
  • 42% of organizations don’t require third-party developers to attest to following required standards, and 38% do not pen test the security of third-party code.

Aimei Wei, CTO and Cofounder of Stellar Cyber had this comment:

     “Mobile apps are certainly a growing attack surface rapidly. Mobile app developers need to follow practices such as not hard code secrets or storing API keys in a secure place. It will help to reduce the attack surface. On the other hand, having visibility of runtime threats against mobile apps and APIs is critical, having a detection and response system that can provide visibility and detect attacks in real time will help to provide the overall coverage and fill the gap.”

Edward Roberts, VP of Marketing, Neosec added this:

     “APIs are a very important part of mobile apps and their adoption is widespread. But APIs in mobile apps are focused on business to consumer API behavior and usage. There is another large attack surface of business-to-business APIs that connect commerce globally which are unfortunately largely unprotected. The vulnerabilities and potential abuse of these b2b APIs is increasingly concerning to security professionals worried about the risk exposure of their organization.”

Hopefully mobile app developers get the message and improve their code so that they are not threats. That helps them and it helps the rest of us.

Approov, creators of advanced mobile app and API shielding solutions, today introduced Approov Runtime Secrets Protection, enabling comprehensive protection of the API credentials and secrets that are typically targeted by threat actors for malicious exploitation.

Recent breaches have highlighted the risk of stolen keys and secrets being exploited by hackers. It is clear that such secrets are not being effectively protected at rest and in transit, resulting in bad actors acquiring them and exploiting them to access APIs and applications.

The wide use of third-party APIs by mobile apps adds another dimension to the problem. Mobile app developers can suffer both financial losses and brand reputation damage if they are seen to be the cause of 3rd party app breaches or service disruptions caused by Distributed Denial of Service (DDoS) attacks using stolen secrets.

Recent research from Osterman Research illustrates the extent of the issue:

“Upcoming Osterman findings show that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code,” Michael Sampson, senior analyst at Osterman Research, said. “These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be. The new functionality from Approov allows API keys to be managed and updated dynamically and ensures they are never extractable from the app. This is a major step forward in protecting APIs from abuse.”

Developers have frequently been urged not to store hard coded keys in a mobile app or device, but as the research shows this “best-practice” is not widespread, since up to now, there has been no easy way to conveniently store such secrets safely outside the app code.

Introducing Approov Runtime Secrets Protection: Just in Time Keys Secrets That Thwart Mobile API Attacks

This is why Approov is releasing new functionality in Approov 3.0 which addresses this issue by making management of API keys and other secrets easy and secure, at rest, or in transit.

Approov Runtime Secrets Protection manages and protects all the secrets a mobile app uses. The Approov cloud service delivers secrets “just-in-time” to the app only at the moment they are required to make an API call, and only when the app and its runtime environment has passed attestation. This ensures that sensitive API secrets are not being continuously stored or delivered to unsafe places, such as fake apps or into malicious hands.

All secrets are stored by the Approov cloud service and are easy to manage dynamically. If changes to these are needed, they are easily and immediately changed across all deployed apps, preventing abuse.

This approach marks a major improvement over keys that are hard coded in the app itself, because should those keys be “leaked” the app must be updated with an entirely new version – a process which is complex and time-consuming, and involves juggling new and old keys during the time it takes for the installed base to be transferred to the new version.

Upcoming Webinar

Join the live webinar from Approov on June 9th “Best Practices for Secure Access of 3rd Party APIs from Mobile Apps” which will discuss the reputational and financial risks associated with API use and how to mitigate those risks. Sign up here.

Pricing and Availability

The pricing of the Approov solution is designed to be completely aligned with your business growth, based on the number of genuine active apps in a monthly billing period. Approov 3.0 is available now.