The level of interconnectivity in today’s digital ecosystem has created almost limitless opportunities for organisations and applications to work together by combining capabilities and sharing data. However, this interwoven ecosystem also creates a much larger surface for attack, enabling attackers to skirt around security measures by targeting less secure connections.
This risk was made very clear recently when a large-scale attack on Twitter through a third-party app called Twitter Counter, which syncs with an account to help users track responses and other stats relating to their profile. The incident saw thousands of accounts hijacked as part of an apparent attack on the Netherlands by Turkish hackers. Hacked accounts tweeted Turkish messages with the hashtags "#NaziHollanda" or "#Nazialmanya", comparing the Netherlands to Nazi Germany in reference to a dispute between the two countries over protest rights. A wide variety of high profile accounts, including the Department of Health, BBC North America, Nike and UNICEF, as well as thousands of individuals, were all compromised.
Luckily for those whose accounts were taken over, Twitter Counter lacks access to user credentials, and attackers were limited to making use of its ability to post through the main Twitter app. As a result the fallout from the attack was limited to embarrassment at being drawn into a political row and sharing inappropriate material.
However, the attack serves to highlight just how vulnerable many of the most popular apps we use every day can be to attacks through connected third parties. Synced apps that have been trusted with a greater degree of access to the main app – particularly login details or financial data – can have extremely serious implications for users.
Do you know who your apps are connected to?
Incidents like this should serve as a wakeup call for end users to pay closer attention to which third parties they allow to access their apps. Twitter and most other applications have a management option to select and remove permissions from various synced apps and add-ons as required. Users should also take more care to actually read the notification on what access they will be allowing new apps as well.
More importantly however, developers should be much more careful about what third parties they allow into their ecosystems. As the old adage goes, a chain is only as strong as its weakest link. An application can have the strongest security in the world, but all it takes is one synced app with a security vulnerability to give the attackers a way in.
A good standard approach would ensure that all applications adhere to the OWASP Top Ten, a well-regarded set of guidelines on application security. The project is a group effort by security experts around the world, and helps developers to identify the most common and dangerous threats they should be prioritising for defence, such as code injection or transport layer security.
Much of the current web of interconnectivity is made possible by APIs (Application Program Interfaces), which have become a favourite staple for developers as they can drastically cut down development time.
An API is essentially a set of instructions or routines to complete a specific task, or interact with another system, from servers to other applications. Because APIs are able to perform tasks such as retrieving data or initiating other processes, developers can integrate different APIs into their software to complete complex tasks. Rather than having to waste hours writing every command from scratch, it is possible to simply pick from an increasingly large selection of best-of-breed APIs developed by specialists, and plug them straight in. This transforms the development process from a time-intensive grind to something more akin to building with Lego.
The reductions in costs and time-to-market made possible with this approach are so profound that some of the world's largest companies are now making the majority of their revenue through APIs. Research from the Harvard Business Review found that Salesforce generates around half of its revenue through APIs, while Expedia uses them to create almost 90 per cent of its income. Alongside the big players are an endless selection of specialists, meaning that developers can access high quality APIs for almost any task.
As well as making it much easier to create a new application, this also makes it extremely simple for applications to connect and sync with each other. Developers can now simply distribute APIs providing third parties with all of the relevant commands needed to have their applications communicate and execute functions. Apps looking to connect with Twitter for example can use REST APIs for access to read and write Twitter data, enabling a third party app to compose and post tweets, and to read user profile and follower data. Alternatively, streaming APIs can be used to monitor or process tweets in real-time.
The hidden risks
While they are extremely useful, APIs also contribute to the security issue around third party connections. Many API Management Solutions use a simple authentication process to confirm that a third party is genuine and has been authorised to connect. Typically, this is done using a simple challenge-response exchange, as the client app tries to connect to the API server. This exchange is usually a cryptographic operation, which means that the mobile client generally contains a secret key for an asymmetric cipher like RSA or ECC.
If attackers are able to break the application's security and decompile its code, they can root out the encryption keys. Any application that is available for download is particularly vulnerable to this, as they can be attacked indefinitely until a weakness is found.
Once the keys have been found, attackers can use them to trick the system into recognizing them as a legitimate client and enabling them to access anything the API was authorised to connect with. Again, in the case of a relatively simple app like Twitter Counter, this can result in nothing more than embarrassment – but if the API grants access to confidential data or more serious functions, it is easy to imagine the damage that can be wrought. In the financial sector, the upcoming PSD2 directive update will require banks to share APIs with other organisations such as social media to facilitate services such as payments and transfers.
Keeping APIs secure
The vulnerability introduced by APIs can be overcome by taking extra security measures alongside challenge-response based authentication. The most effective approach is to centre defences on protecting the cryptographic keys.
White-box cryptography is a particularly strong method for securely hiding cryptographic keys, even if a hacker has full access to the software. Using this technique, the original key material is converted to a new representation in a one-way, non-reversible function. This new key format can only be used by the associated white-box cryptographic software, preventing the hacker from finding it and using it for the challenge-response.
However, white-box cryptography can still be circumvented if the hacker is able to decompile the original application and modify the app or lift out the entire white-box software package, and include it in their cloned version of the application.
Particularly relentless attackers can be stopped with anti-tampering techniques that prevent code-lifting attacks or the app being interfered with. Anti-tamper techniques with Application Self-Protection built-in, can respond to runtime attacks with customisable actions and notify the app owner that app is being modified.
Establishing a secure ecosystem
To truly keep their applications safe, developers need to ensure that not only are they addressing the major security concerns and deploying advanced defence techniques, but that all connected third parties are as well. Even if an application is protected by white box cryptography and powerful measures, it will mean little if an attacker is able to break into a weaker party and access its cryptographic keys. If developers are able to ensure the ecosystem of their app is secure, they can enjoy the benefits of the limitless interconnectivity without exposing their users to attack.
Mark Noctor, VP EMEA at Arxan Technologies
Image Credit: Jeshoots / Pixabay