This article was originally published on Licel's insights page. Licel is a global application security company.
Modern mobile apps are being forced to battle an overwhelming number of threats. These include untrusted environments, rooted and jailbroken devices, and the schemes of malicious actors.
Among the weapons you can wield to stop these threats are solid user authentication, encrypting the data being transmitted between the app and the server, ensuring the authenticity of said server, and monitoring the app for behavior anomalies.
But as the sheer range of cybersecurity threats widens, it can be tempting to want to create custom security solutions to deal with them.
This could include creating custom cryptographic systems, designing unique authentication mechanisms, inventing your own pin-code screens, or even building your own network protocols.
Sadly, though, this can lead to you simply reinventing the wheel. And the end result can actually be a less secure application.
In this article we’ll explore the core components of modern cybersecurity - cryptography, authentication (including biometrics and pin-code screens), and network layer security. We'll delve into the intricacies of each and explain the challenges that can come from designing custom security solutions in these areas. And we'll explain why existing, established solutions often provide a safer, more reliable approach to securing your mobile applications.
Imagine you need to send an important message to your colleague.
You’ll want to make sure that two things happen. Firstly, that nobody except your colleague is able to read your message. And secondly, that she receives exactly what you sent to her and not a modified version.
One of the best ways to make sure this happens is by using cryptography. The backbone of modern digital security, cryptography is what keeps our online interactions confidential. It ensures the integrity of our data, and verifies the identity of communicating parties.
Cryptographic systems revolve around two core elements: encryption algorithms and cryptographic keys. Encryption algorithms convert plaintext information into unintelligible text (ciphertext), while cryptographic keys are secret values used in these algorithms to ensure security. The way these keys are used gives rise to various types of cryptography: symmetric-key, asymmetric-key, and hash functions, for example. And each has its unique advantages and use-cases.
Developing a secure cryptographic system, however, is not as simple as choosing an encryption algorithm and creating a key. The complexity of cryptography lies not only in designing the algorithms but also in making sure they’re implemented and managed securely.
Missteps in any of these areas can lead to vulnerabilities that can be exploited by bad actors. For example, creating a short key could allow them to brute force it. Failing to store the encryption key securely can result in the encryption efforts becoming pointless. And not providing random initialization data to the crypto algorithms opens up a whole new variety of attacks.
Attempting to design custom cryptographic systems yourself to solve these challenges can also further exacerbate risks. The field of cryptography has a long history, with many algorithms that seemed secure at first later being found to contain critical vulnerabilities. These flaws are often only discovered after years of rigorous testing and analysis by the global cryptographic community.
Remember, even a seemingly minor oversight or error in a custom cryptographic system can render it completely insecure.
Established cryptographic systems, on the other hand, have withstood the test of time (and scrutiny). They’re designed by experts in the field, extensively peer-reviewed, and are continually updated in response to new threats that emerge. So, they offer a level of security and reliability that custom security solutions typically can't match.
As we continue to delve into other components of cybersecurity - biometric authentication, pin-code screens, and network layer protocols - you’ll see the same principle repeating:
It's generally much more secure and efficient to rely on established solutions than to attempt to reinvent the wheel.
The importance of secure authentication
User authentication exists and is so important because it serves as a gatekeeper. It stops unauthorized access and protects sensitive data from malicious threats.
There are various forms of authentication in use today, ranging from simple password systems to more advanced biometrics and multi-factor authentication (MFA) systems. There are even combinations of each. These methods have been developed and refined over the years to provide a balance between security and user-friendliness, which is not an easy task.
Biometric authentication is a popular method that involves verifying an individual's identity based on their unique physical or behavioral characteristics. These include fingerprints, facial patterns, or voice recognition. While these methods offer a high level of security, they also require sophisticated technology and careful implementation to avoid potential vulnerabilities. For instance, a poorly-implemented facial recognition system might be tricked by a photo. And a voice recognition system could be fooled by a recording of somebody’s voice.
Similarly, pin-code screens are widely used due to their simplicity and convenience. But by creating custom pin-code systems you can open the door to security risks. After all, implementing a secure pin-code system is about more than just accepting and verifying a numerical input. It also needs to account for factors like secure data storage, resistance to brute force attacks, and protection against data leaks during input.
Banking trojans are another important consideration. They exploit the OS to capture what’s on the screen, log your end user’s input, and show overlays that resemble legitimate banking app screens. They’ve been around for more than a decade, they’re multiplying fast, and are a significant threat to protect from.
In both these cases, using established authentication solutions that have been extensively tested and refined is a more secure approach. These solutions are designed with security best practices in mind and have been scrutinized by the wider cybersecurity community to identify and rectify potential vulnerabilities.
Custom pin-code screens: a cautionary tale
Both mobile iOS and Android platforms include the phone-locking functionality. You get to choose 4 to 6 digits to prevent anybody from accessing your phone. Mobile devices are valuable possessions, so there’s no shortage of people developing solutions to brute force, crack and breach the pin-code.
This context helps to explain why platform developers are constantly working on improving the security of pin-code screens. But again, there are examples out there of custom implementations of pin-code screens that have invited even more risks.
There’s more to a secure pin-code system than you might think. It doesn't just verify that the entered pin matches the stored pin. It also needs to account for data protection during input, storage, and transmission. And user inputs need to be concealed to prevent over-the-shoulder peeping or screen recording attacks. What’s more, secure storage practices like hashing and salting need to be used to protect the pin in case the data storage gets compromised.
The system should incorporate security measures to prevent brute-force attacks (repetitive attempts to guess the pin). This could involve limiting the number of incorrect pin attempts, introducing time delays after failed attempts, or temporary account lockouts.
In many reported breaches of pin-code screens, the root cause was often some kind of overlooked security practice. So, using insecure data storage methods or failing to adequately protect against brute force attacks, for example. There are plenty of harsh reminders out there that prove that implementing a secure pin-code screen is not as easy as it might seem at first.
There are a wide range of established solutions for pin-code authentication available today, each designed with a deep understanding of these threats and how to mitigate them. These tested, proven tools are updated as new threats emerge and are a much better bet than custom solutions.
The challenge of network security
One of the fundamental components of network security is the use of protocols, which are rules or standards that dictate how devices on a network exchange information. Protocols define processes for tasks such as error checking, data compression, and data transmission. They’re critical when it comes to making sure that network communications are performed efficiently and securely.
Typically, there are committees which suggest changes to these protocols and discuss them thoroughly. Given their complexity and the security implications of getting them wrong, network protocols are extensively tested and analyzed before widespread adoption.
Well-known protocols like the Transmission Control Protocol/Internet Protocol (TCP/IP), Secure Sockets Layer/Transport Layer Security (SSL/TLS), and HyperText Transfer Protocol Secure (HTTPS) have become industry standards. The reason they’re used so extensively is because they’ve proven over time to be secure and reliable.
But even having committees, reviews and other measures in place can’t guarantee problem proof protocols. As it was shown several years ago, even protocols with a well-established history are susceptible to security and privacy problems, such as sending audio in a phone before the callee actually picked up.
This might provide some context for why organizations and developers can sometimes be tempted to develop their own custom network protocols. Such a decision might arise from specific business requirements, the desire for optimization, or a misguided belief in "security by obscurity". In other words, keeping the design of the protocol secret to prevent attackers from discovering vulnerabilities in it.
However, creating your own custom network protocol can introduce significant security risks. Not least because it wouldn’t be put through the extensive testing and scrutiny that standard protocols undergo. And so the likelihood of undiscovered vulnerabilities increases. Security by obscurity has also been widely discredited in the cybersecurity community for promoting a reliance on secrecy rather than on robust, proven security measures.
Custom protocols can introduce compatibility issues, too. They increase the complexity of network management which leads to a higher likelihood of configuration errors and potential security gaps.
For these reasons, it's generally best to stick with established network protocols. They’ve been verified through years of use and have a broad base of experienced developers who understand their ins and outs.
Don’t risk doing it yourself
As you might have noticed throughout this piece, the desire to design and implement custom security solutions often comes with the best intentions.
But whether it's to optimize performance, satisfy unique requirements, or simply a drive to innovate, these ambitions can lead to unforeseen cybersecurity risks.
Take the example of Telegram, a popular messaging app. In the early years of its existence, its developers created their own protocol to exchange information. But before long, security experts found flaws in it. The research found several attack vectors which wouldn’t have existed if Telegram had used battle-tested primitives and approaches.
Signal is a rival messaging app. It too uses its own protocol, but it proved to be a more reliable and hack-proof messenger. For example, when a small portion of users were affected by a hack, no data was actually leaked to the malicious users. And it emerged that the hack didn’t come about via Signal itself but rather a less secure company in the supply chain that was sending auth codes. Still, this example represents something of an outlier.
As we've seen in the previous chapters of this article, each component of cybersecurity - cryptography, authentication, and network security - is a complex field in and of itself. Each comes with decades of research, development, and real-world testing behind it that has resulted in the existing solutions that are tried and tested.
Attempting to create custom security solutions in these areas doesn’t only require substantial expertise. It also requires a deep understanding of potential vulnerabilities and the knowledge of how to mitigate them.
But even with considerable experience, it's easy to overlook a small detail or underestimate a potential threat. And this can lead to significant security vulnerabilities.
A custom cryptographic algorithm might seem secure on the surface but could be susceptible to specific types of attacks (see the Telegram example above). A self-designed authentication mechanism might not account for all potential intrusion methods. And a custom network protocol might contain loopholes that could be exploited for data breaches.
What’s more, DIY solutions don't benefit from the continuous updating and refining that established solutions receive. In the world of cybersecurity, threats are constantly evolving, and security measures that are effective today might not be quite as foolproof tomorrow. Established solutions are maintained by dedicated teams of experts who stay abreast of the latest trends and update the solutions accordingly.
There's also the question of resource allocation. Developing, testing, and maintaining custom security solutions can consume significant time and resources that might be better directed elsewhere. So, improving the overall user experience or adding new features, for example.
Remember, cybersecurity is a marathon, not a sprint. The key to winning is not outpacing everyone in a burst of speed, but maintaining a steady, unyielding defense that can stand the test of time.