.webp)
String encryption secures flimsy app code
String encryption secures flimsy app code - Malware Update
Apple is often known for prioritising user privacy and security, yet recent data shows that mobile apps in the iOS ecosystem were found to have more than 815,000 hardcoded secrets, including thousands that could lead to data breaches.
So why is this?
Mobile app security specialist, Jack Kerr, Director at Appdome, explains that developer making the mobile apps don't always prioritise security or properly understand how to use encryption. What's more cyber security tactics such as obfuscation can be hard to figure out how to code – all of which leaves sensitive information wide open to attackers.
"CyberNews' research highlights how many mobile businesses are failing to properly encrypt sensitive data stored within their mobile apps, exploiting the user data of millions of people and leaking secure code (stripe keys). This is often because teams don't always prioritise security, developers don't understand how to use proper encryption and obfuscation can be hard to figure out how to code – all of which leaves sensitive information wide open to attackers.
“When an app is developed, sensitive data, like API keys (which control access to app services), passwords and server details are fed into the app's code. Hackers can extract this information using basic reverse engineering tools like MachOview or Frida, which are widely available and easy to use. When exposed, attackers can discover app logic, secrets, vulnerabilities and more.
“Today, developers may try to protect these details with simple data encryption or obfuscation, but weak encryption is easy to break while simple obfuscation only scrambles code to make it harder to read. And obfuscation doesn't actually encrypt the data, but only makes it less obvious. To add to this, mobile apps need to be able to read their own sensitive data while sending or receiving information, meaning obfuscation does not work for API endpoints. That's where string encryption should be baked into every mobile app. This style of encryption protects sensitive information from unauthorised access, mitigates risks of tampering or misuse,and ensures compliance with secure data handling standards critical to maintaining app security. Without it, mobile apps will continue handing over user data to cybercriminals on a silver platter.”
