Are Apps Becoming Gateways for Cybercrime?

Image

Rather than working in silos, software engineers should be embedded alongside the security experts. Start with the security element.

Sarah Morris

Editor's note: This article originally appeared in Brink.

How we travel and where we can go now depends on a smartphone. Freedom of movement is app-based.

This is a major change in the mechanics of doing business and our everyday lives that was drastically accelerated by COVID-19 and the need for touch-free access. Apps can make access quicker and easier to manage for events, venues, buildings and transport of any kind. And they can make business operations cheaper. 

But relying on apps also opens up a much wider front across society in the battle with cybercriminals. The fundamental issue is that the more widely used an app is, the bigger and more attractive the target. 

Reportedly, hackers “defeated” Microsoft’s recent attempts to make a new hardware component compulsory to Windows 11 within the space of 30 minutes. The U.K.’s National Health Service Test and Trace app was immediately ripped apart to explore the data waiting there. It can be done for the fun of it, to purposely cause damage to organizations, or as the basis of extorting money or for committing fraud. An app-based life encourages a mix of criminal activity with a kind of gaming, offering an ongoing series of challenges to test skills.

The Risk of Loss of Trust

The danger in this is the potential for customer-facing systems to become plagued by chaos and suspicion. A snowballing of minor issues with entry and disrupted plans could create a lack of public trust in digital proof of COVID-19 evidence, for example, leading to an ongoing sense of insecurity when traveling or in other public places.

In practice, the use of app-based access is so fundamental to commercial activities that cybersecurity is being ramped up and will stay top of priority lists. When there are problems, there will be “patches.” 

But that doesn’t mean there are solutions on the horizon. For the foreseeable future, the reputation of digital access is going to be involved in a constant battle, with another crisis for major brands always just around the corner.

The World Needs IT Talent — Lots of It

In the U.S. alone, figures suggest a shortage of more than 464,000 cybersecurity specialists. We might have skilled staff, but do we have skilled, creative, highly motivated people willing to keep up the relentless fight? 

The flaw at the heart of app-design is human. App security is only as strong as the human team involved, and experience shows that, over time, people become predictable. They have their favorite ways of putting code together, meaning patterns of code, data structures and file locations that can be more easily anticipated and taken apart. Walls that look solid to organizations can be riddled with entry points. 

We need freewheeling creativity to stay ahead. Rather than working in silos, software engineers should be embedded alongside the security experts. Start with the security element.

Layering on Security

There are approaches that businesses can take to make their “access” offerings less vulnerable. Fraud is made harder by as much layering of elements as possible — where each element has to be simulated. So, for an e-ticket, that might involve including both a QR code and an animated logo, for example. 

There are other tactics, like removing the ability to take screenshots while an app is open or making sure digital tickets require registration linked to an email account or a personal digital device. 

In principle, apps on specific devices can be made safer than web-based purchases, which are just based around an online user account and stored information is “controlled” by the browser. Sometimes the website might note location, or there might be two-factor authentication, but there is still a more limited number of potential factors for securing information. A fixed device can keep information and tie itself to that device.

Apps Offer a Greater Range of Security Than Browsers

Companies should be making full use of the advantages of apps for security. There are additional avenues that can be used to track down how fraud has occurred, for example, by checking app logs and contacting customers to check whether devices have been lost or stolen or by looking at data on whether cybercriminals have managed to generate the ticket in the app, built a separate app, or used a combination. 

There is the opportunity to make use of biometrics and additional passwords, again used as layers on top of basic user accounts for the product. 

App security can be built up by prompting permission requests from the device (location, phone number, unique serial information and other user data) to validate activity, identify fraudulent activity and catch criminals. 

We’re going to be using our smartphones as a kind of passport for free movement, locally and internationally. That means this is an issue for whole societies to think about. We’re all going to have to start thinking about the part we play in the battle, add to the pipeline of cybersecurity talent and what’s needed to keep us all moving.

Author
  • Sarah Morris