Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to upwardly Mobile, where we really get into
the nuts and bolts of mobile app and API security.
Speaker 2 (00:07):
Keeping you up to speed on what's happening out there.
I'm George and I'm Sky.
Speaker 3 (00:11):
It's well, it's crucial.
Speaker 2 (00:12):
To stay informed, especially for developers and security folks.
Speaker 1 (00:15):
Absolutely, today we're looking at something pretty significant, a big
threat hitting mobile users, specifically targeting crypto wallets.
Speaker 2 (00:23):
Right, we're talking about a major crypto phishing campaign that
actually showed up on the Google play Store.
Speaker 1 (00:28):
Yeah, and it really shines the light on some let's say,
persistent myths about mobile app security, things we maybe take
for granted.
Speaker 3 (00:36):
Exactly, it's more than just crypto.
Speaker 2 (00:38):
It's about how attackers use trust, how they use these
you know, seemingly safe platforms. It makes you rethink your defenses.
Speaker 1 (00:45):
Okay, so let's unpack this crypto fishing campaign first, What
exactly happened? Who spotted it?
Speaker 2 (00:50):
Well, it was Cyble Research and Intelligence Lab CRIL. They
found get this over twenty malicious.
Speaker 1 (00:57):
Apps twenty on the Playstore, on.
Speaker 2 (00:59):
The Playstore, and they were all specifically designed to go
after crypto wallet users.
Speaker 1 (01:05):
Wow, okay, twenty apps getting past Google's checks. Yeah, that's concerning.
So how did the attack actually work? What was the method?
Speaker 2 (01:13):
It was basically classic fishing, but very well disguised.
Speaker 3 (01:16):
Impersonation was key.
Speaker 2 (01:18):
Impersonating what legitimate popular crypto wallets think Sushi Swap, Pancake Swap,
hyper Liquid, radium, the names people know and trust, okay,
And they didn't just use the names, they use the
actual icons from the real apps. So at first glance
they look totally Legit builds instant but false trust.
Speaker 1 (01:38):
You know, right, that makes sense, So the user downloads
it thinking it's the real deal. Yeah, then what what's
the killer move?
Speaker 2 (01:44):
Once you install it, the app hits you with a prompt.
It asks for your twelve word mnemonic.
Speaker 1 (01:49):
Phrase oof, the recovery phrase exactly.
Speaker 3 (01:52):
The keys to the Kingdom.
Speaker 2 (01:53):
It looks like a normal wallet setup screen, but the
moment you type that phrase in it's game over.
Speaker 3 (01:58):
How so, well, that go straight to the attackers. They
immediately use it to access.
Speaker 2 (02:02):
Your real wallet and just empty it, drain all the cryptos.
Speaker 1 (02:05):
And with crypto, that's usually irreversible, right, not like calling
your bank.
Speaker 2 (02:09):
Precisely, that's the sting. The immutability feature design for security
works against you here.
Speaker 3 (02:15):
Once it's gone. It's gone.
Speaker 2 (02:17):
No chargebacks, no central authority to appeal to. You're pretty
much on your own.
Speaker 1 (02:22):
A harsh lesson in self custody risks.
Speaker 2 (02:25):
Okay, so how did these apps even get onto the
Play Store? And did cur'll find any patterns connecting them?
Speaker 1 (02:31):
This is the really disturbing part. They used compromised or
like repurposed developer accounts.
Speaker 3 (02:36):
What do you mean repurpose?
Speaker 1 (02:37):
Well, some of these accounts actually used to host legitimate apps, games,
video downloaders, things like that. Some even had like over
one hundred thousand downloads.
Speaker 2 (02:46):
Historically, so they had built in credibility exactly.
Speaker 1 (02:49):
It suggests attackers took over existing accounts, maybe bought them,
maybe hag them to piggyback on that established trust makes
them harder to spot.
Speaker 3 (02:57):
Sneaky.
Speaker 2 (02:58):
Were their technical clues link these apps, like code similarities
or infrastructure?
Speaker 1 (03:02):
Oh definitely, CRIL found consistent patterns. Yeah. For instance, the
phishing command and control the C and curls were often
hidden inside the app's privacy policy.
Speaker 3 (03:11):
Text clever hiding in plain sight.
Speaker 2 (03:13):
Yeah, and they reuse package naming conventions. Lots of them
also use something called.
Speaker 3 (03:18):
The Median framework.
Speaker 2 (03:19):
Median Framework it's basically a tool to quickly wrap a
website into an Android app, So they'd just load their
phishing website directly into an app's web U component. It's
like a mini browser inside the app. Super efficient for them, like.
Speaker 1 (03:32):
An assembly line for malicious apps. Yeah, and was this
just a few random developers or something bigger?
Speaker 3 (03:38):
It looked bigger, much bigger.
Speaker 1 (03:40):
Yeah.
Speaker 2 (03:40):
When they dug into the IP addresses hosting these fishing URLs, yeah,
they found links to over fifty other fishing domains hosted
on the same infrastructure.
Speaker 1 (03:49):
Wow.
Speaker 2 (03:50):
Yeah, it points to a really centralized, coordinated operation. Makes
it much harder to detect and take down because it's
so distributed yet centrally managed.
Speaker 1 (03:58):
Okay, That level of organization is definitely sobering. It really
sets the stage for looking at those broader security myths
you mentioned. This whole incident kind of blows some of
them up, doesn't it.
Speaker 3 (04:08):
It really does.
Speaker 2 (04:09):
Let's start with a big one myth number three in
some lists, I think the idea that mobile app stores
guarantee security.
Speaker 1 (04:16):
Right, it's on the app Store, Playstore, so it must
be safe exactly.
Speaker 2 (04:20):
Developers and users often rely heavily on that. They assume
the store's review process catches everything bad.
Speaker 1 (04:25):
But clearly, as this case shows, that's not foolproof. How
do things still slip through even with Apples and Google's
massive efforts.
Speaker 2 (04:34):
Well, despite those efforts, despite the stringent checks, malicious apps
find ways in. It's a constant cat and mouse game.
We've seen it before, right, Remember back in twenty nineteen,
Android apps with millions of downloads had malware.
Speaker 1 (04:48):
I do remember that, Or even.
Speaker 2 (04:49):
On iOS, remember those seventeen apps Apple had to pull
They had clicker trojan malware doing ad frauds silently in
the background.
Speaker 1 (04:56):
Right, So the stores are a first line of defense,
maybe not.
Speaker 3 (05:00):
The only line exactly.
Speaker 2 (05:01):
Not an impenetrable fortress users, developers, everyone still needs to
be vigilant due diligence is key.
Speaker 1 (05:06):
Okay, good point. What about myth number one, the idea
that hackers only go after the big popular apps.
Speaker 2 (05:13):
Yeah, the logic is why target my small app when
they could go after Facebook?
Speaker 1 (05:17):
Makes intuitive sense. I guess bigger user based, bigger payoff.
Speaker 2 (05:20):
You'd think so, But the reality is less popular apps
are definitely targets. Sometimes they're even easier targets, the low
hanging fruit as they say, why is that because they
might have weaker security, maybe fewer resources spent on it.
But if an app handles any sensitive data financial info,
health records, personal details, it's valuable to attackers. Regardless of
(05:41):
how many users it has. The combined value from many
smaller breaches can still be huge.
Speaker 1 (05:46):
So obscurity isn't security even niche app developers need to
be on high alert.
Speaker 3 (05:51):
Absolutely, maybe even more so.
Speaker 1 (05:53):
Okay, let's tackle two myths together, then myths two and five.
Basically the idea that Android is the wild wet and
iOS is fort knox.
Speaker 2 (06:01):
Ah. Yes, a classic platform debate. Android's open, so it
must be life secure than Apple's closed garden.
Speaker 1 (06:07):
That's the common perception yet, but it's well, it's.
Speaker 3 (06:09):
More nuanced than that.
Speaker 2 (06:10):
Both platforms have their own vulnerabilities. It's actually interesting. There
was a period where exploit brokers like Zerodium started paying
more for Android zero days or for Android It suggested
Android's security had actually improved quite a bit, making those
critical exploits harder to find.
Speaker 3 (06:27):
Meanwhile, the market for.
Speaker 2 (06:28):
iOS exploits was let's say, a bit saturated at the time.
Speaker 1 (06:32):
So iOS isn't untouchable either. What kind of things have
hit iOS.
Speaker 2 (06:35):
Oh, definitely not untouchable. Think about the Pegasus spyware that
things have been around since twenty eleven targeting iOS versions
right up to like fourteen.
Speaker 1 (06:43):
Point seven, right the NSO group stuff and.
Speaker 2 (06:46):
Google's Project zero found those watering hole attacks targeting iPhones.
Just visiting a hacked website could compromise the phone. Sorry,
and remember that I message bug in twenty twenty. A
text message could allow remote code execution, no user interaction needed.
Speaker 1 (07:02):
Okay, okay. So the takeaway for developers building on either platform.
Speaker 2 (07:05):
Is don't just rely on the platform's marketing hype about security.
You have to build security in yourself. Go above and beyond,
regardless of whether it's iOS or Android. Neither one gives
you a free pass.
Speaker 1 (07:15):
Got it. Let's move to myth number four. Only jailbroken
or rooted devices are really at risk, right.
Speaker 2 (07:21):
The idea that if you haven't messed with the operating system,
you're basically safe from the nasty stuff, which.
Speaker 1 (07:26):
Sounds reasonable because rooting or jail braking does disable security features.
Speaker 2 (07:32):
It absolutely does increase risk, no question, But it's a
dangerous oversimplification to think only those devices are vulnerable.
Speaker 1 (07:40):
So standard non rooted phones are still targets for what
kind of thing?
Speaker 2 (07:44):
Oh, absolutely think about malware like event bought back in
twenty twenty. It targeted regular Android devices, stole banking info
and didn't need root access at all. Okay, and then
you have phishing, which works on any device if the
user clicks the link. Network attacks, supply chain issues these
affect everyone, rooted or not.
Speaker 1 (08:03):
So protecting against rooted devices is one thing, but your
security strategy needs to cover all devices precisely.
Speaker 2 (08:09):
You can't ignore the vast majority of users who haven't
rooted their phones.
Speaker 1 (08:13):
Okay, file myth for this section, myth number six. Yeah,
just using HTTPS for your API back end is enough
security for your mobile app?
Speaker 3 (08:20):
Ah the htttps. This one is so common and kind
of understandable.
Speaker 1 (08:25):
Because HTTPS means encryption, right, data is protected in transit.
Speaker 2 (08:29):
It does mean encryption in transit. Yes, and HTTPS is
absolutely fundamental. You must use it, But thinking it's the
only thing you need, that's where the problem lies. It's
just one piece of the puzzle.
Speaker 1 (08:39):
So if the traffic is encrypted, where's the gap? How
can attackers still get in?
Speaker 3 (08:44):
Well?
Speaker 2 (08:44):
HTTPS only protects the data while it's traveling between the
app and the server. It does nothing about vulnerabilities in
the app itself like bad code exactly, or runtime attacks
or someone messes with the app while it's running on
the device. Instrumentation frameworks like FREEDA okay, and even man
in the middle attacks can sometimes still work against HGTPS
(09:06):
if the implementation is weak like using old protocols, having
certificate issues, or if the certificate pinning isn't done right
or dynamically updated.
Speaker 1 (09:14):
And what about just reverse engineering the app to see
how it talks to the API.
Speaker 2 (09:18):
That too, Attackers can often pull the app apart see
the API calls, figure out how to make them, and
then just script attacks against your back end. HTTPS doesn't
stop them from learning how to talk to your API,
or from replicating legitimate requests from a script or bot.
Remember that Jaumie Guard a provider app. It used HGTPS
but still had issues allowingm attacks.
Speaker 1 (09:39):
So even with HGTPS sensitive data like usernames, passwords, apikeys
stored insecurely in the app, they can still be extracted or.
Speaker 2 (09:48):
Abused absolutely if the app itself isn't secure, if the
API doesn't validate who or what is calling it HTTPS
alone won't save you.
Speaker 1 (09:56):
It really drives home the need for layered security, and
so what's the bottom line for developers on this one?
Speaker 2 (10:02):
You need more secure coding inside the app, definitely, Input
validation is critical, proper access controls on the API, encrypting
sensitive data stored on the device, regular security testing, and crucially,
ways to ensure the API call is coming from a genuine,
untampered instance of your app.
Speaker 1 (10:17):
Okay, that makes sense. So we've covered the attack debunk
some pretty common myths. Now let's pivot to solutions. What
does all this mean for you, the listener, whether you're
building apps or just using them. Let's talk defense strategy
for the average user. First, what are the key practical steps?
Speaker 2 (10:35):
Okay, for users? Number one, be really careful where you
get your apps. Stick to official stores, yes, but even
then check the developer, look at reviews, publisher details, download counts,
be skeptical.
Speaker 1 (10:47):
Especially with crypto apps, it seems, definitely.
Speaker 2 (10:50):
And number two absolutely critical. Never ever enter super sensitive
info like that twelve word recovery phrase unless you are
one hundred percent sure it's the real legitimate app practice
Go to the official website of the wallet service and
use their link to find the app, don't just search
the store blandly good advice.
Speaker 1 (11:06):
What else? Basic digital hygiene.
Speaker 2 (11:08):
Yeah, the fundamentals still matter hugely. Use good anti virus
or security software on your phone and other devices. Use strong,
unique passwords everywhere. Enable multi factor authentication MFA wherever you
possibly can.
Speaker 1 (11:21):
Like authenticator apps or hardware keys.
Speaker 2 (11:23):
Exactly, use biometrics to fingerprint face, unlock on your phone,
and just be super wary of links and texts or emails.
Phishing is still incredibly effective. Oh and for Android users,
make sure Google play Protect is turned on. It does
provide a layer of scanning, the.
Speaker 1 (11:40):
Solid checklist for users.
Speaker 3 (11:41):
Yeah.
Speaker 1 (11:41):
Now let's switch hats. For the mobile developers listening, working
across iOS, Android, maybe cross platform like Flutter or React Native,
what are the actionable takeaways for them to really secure
their apps and APIs?
Speaker 2 (11:54):
For developers, the mindset has to shift. Security isn't something
you tack on at the end, to be baked in
from the start, throughout the entire development life cycle.
Speaker 1 (12:03):
And recognizing that some traditional defenses aren't enough.
Speaker 2 (12:06):
Anymore, precisely things like basic code op fustation.
Speaker 3 (12:09):
Sophisticated attackers can.
Speaker 2 (12:11):
Often get around that relatively easily these days, you need
to think about protecting the app dynamically while it's running.
Speaker 1 (12:16):
Okay, so what kind of dynamic run time security are
we talking about.
Speaker 2 (12:19):
We're talking about implementing things like our ASP runtime application
self protection are Yeah, it helps the app detect and
respond to attacks while it's running. Also things like runtime
secrets protection to shield API keys or sensitive data within
the running app, and dynamic certificate pinning, which is stronger
than static pinning. These protect the app and its data
(12:40):
in its actual operating environment, which is where many attacks
now focus.
Speaker 1 (12:44):
Makes sense protect the app itself. What about protecting the
API on the other end, ensuring it's only talking to
legitimate instances of your app, not bots or modified versions.
Speaker 2 (12:54):
That's where app attestation comes in. It's becoming really crucial.
Speaker 1 (12:58):
Explain app attestation briefly.
Speaker 2 (13:00):
Sure, It's basically a mechanism for your back end API
to verify the integrity of the app that's calling it.
Is it the genuine, untampered version of your app running
on a safe device, or is it a clone, a
tampered version, or just a script hitting your API directly?
Speaker 1 (13:15):
So it proves the app itself is trustworthy before the
API responds exactly.
Speaker 2 (13:19):
You combine app attestation with token based API access. The
app proves its integrity, gets a short lived token, and
uses that token to make API calls. This is vital
for blocking bots, scrapers, modified apps, all sorts of automated
abuse that bypasses simple API key checks.
Speaker 3 (13:37):
It enforces that trust.
Speaker 1 (13:38):
Boundary that sounds like a critical layer, especially given everything
we've discussed and speaking of solutions that enforce trust boundaries.
This episode of upwardly Mobile is proudly sponsored by Approof.
Approof specializes in mobile app attestation and API security.
Speaker 2 (13:54):
Right they help ensure that only genuine mobile app instances
can access your APIs, effectively blocking automated attacks an unauthorized
data access. It raises the bar significantly.
Speaker 1 (14:04):
You can learn more about how approof secures mobile apps
and APIs at approved dot io. So as we wrap up,
it's really clear, isn't it. The mobile security landscape just
keeps shifting.
Speaker 2 (14:13):
Constant vigilance is needed, absolutely, from developers, from users, from
everyone involved.
Speaker 3 (14:18):
This whole phishing campaign is just another reminder.
Speaker 1 (14:20):
It really makes you think, though, if even the official
app stores aren't completely safe and attackers are getting so
good at exploiting trust.
Speaker 2 (14:28):
Yeah, it poses a tough question, doesn't it. How much
responsibility falls on the developer to build apps that are
inherently resilient, almost assuming a hostile environment, and how much
is on the user to be perpetually skeptical? Where's that balance?
Speaker 1 (14:44):
That is a deep question. Is perfect security even possible?
Or is it just this continuous process, this ongoing journey
of adaptation.
Speaker 2 (14:52):
A journey definitely, and it forces you, whether you're building
or using this tech, to constantly ask am I doing enough?
What do I need to change my approach to keep up?
Speaker 1 (15:01):
Something important for all of us to consider. Thanks for
joining us for this look into mobile app and API security.
Speaker 3 (15:06):
Stay safe out there.
Speaker 1 (15:08):
This episode of upwardly Mobile was made with human sources
assisted with AI