Threats / 06 Mobile app fraud
A guide to mobile application protection
- Introduction
-
Principles
Overview - The big picture
- What needs protecting
- Develop a threat model for your application
- The four layers of mobile application protection
Mobile app fraud in practice
Location spoofing
Many apps restrict functionalities and content or provide certain benefits based on location. And as a result users may attempt to spoof - fake or alter - their apparent location.
Let’s take a look at some examples:
A bank offers a specific account or card which is only available to customers in a particular location. This is the reason you’ll often see banks asking you to turn on your location service on your device - that way they can verify whether you’re eligible for the program. So, if someone wanted to open an account illegally that wasn’t designed for them, they’d be able to do so by spoofing their location on the device.
Another real world example of location spoofing that you might be familiar with is Pokémon GO. It’s a mobile game that uses location tracking and mapping technology to create an augmented reality where players catch and train Pokémon characters in actual locations. The game, played in the spirit originally intended, requires players to travel somewhere to look for and capture a Pokémon. But for years now fraudsters have been spoofing their location to cheat the system. That means they get to capture Pokémons without actually going anywhere.
People can also spoof their location to unlock and access premium content. Netflix, Amazon Prime, and Disney Plus, among others, are often targeted via location spoofing so that fraudsters are able to view movies or series that are unavailable in their actual location.
How users actually do so will depend on how the app derives its information on the user’s location. Their approach might therefore involve any of the following:
- Using a VPN or proxy server to mask their IP address with a valid alternative
- Using hardware or software tools to modify GPS data
- Using a device’s inbuilt ‘mock location’ feature to provide fake GPS data
- Using dynamic instrumentation tools to modify data directly as it is processed by the target app
Device Spoofing
Device spoofing is a technique used by those who want to convince an app that they’re using a real, physical mobile device, when actually they’re not. Instead, they’re using emulators or virtual devices that have been modified and configured to mimic the specifications and behavior of a mobile device. In Android, for example, it’s possible to modify the fingerprint, system properties, and user agents of an emulator using setprop utility from the OS so that it gets recognized as a valid, physical mobile device by your mobile application or its backend system.
As with location spoofing, mobile games are a common target for fraudsters using device spoofing. By using an emulator on their computer, they’re able to beat other players who are using their mobile devices. That’s because by using an emulator on their computer, fraudsters enjoy access to better game controls via their keyboard, mouse, or joysticks. An emulator can also be used to spoof the location in location-based mobile games. And for tech-savvy fraudsters, emulators can also be used to facilitate cheating or hacking of the mobile game itself.
Bad actors can also use emulators and virtual devices to deplete your mobile ads budget significantly. By setting up a device farm full of emulators, they can run a bot or automation script inside it to automatically click on advertisements in your mobile app. These bots may also end up giving you a false impression of users, click rates, and overall growth. A rapid rise in engagement might actually be a result of actions carried out by controlled “zombies” instead of real human users.
App cloning
By carrying out app cloning, fraudsters can trick you into believing that they’re using a genuine instance of your mobile application. They can clone your app by attempting to reverse-engineer, build, and redistribute a modified version of it to public app stores (Google Play and Apple App Store). Or they can create a custom container that wraps your application inside - known as app wrapping or virtualization-based repackaging - and distribute it publicly.
A big motivation for bad actors cloning your mobile application is the ability to spread malicious code and to trick your end users - especially non-technical ones - into thinking it’s the real deal. Bad actors can use malicious code to extract sensitive information from your users, such as authentication credentials or payment or financial information. In addition, cloning attempts can also enable fraudsters to extract intellectual property from your application and monetize it elsewhere.
SIM swapping
SIM swapping is a technique used by fraudsters that attempts to convince the mobile network operator to issue a new SIM card and associate it with an existing phone number and account. It’s achieved via social engineering, forged or stolen identities, or insider attacks performed by trusted employees. If successful, the bad actor might be able to obtain SMS messages or hijack phone calls intended for someone else.
While SIM swapping may not directly target or involve your mobile app, it can still have a big impact depending on how your authentication system is designed. If your business relies on your mobile application as the primary touchpoint or storefront, and you require your customers to authenticate using their phone number on the app, then SIM card swap fraud can pose a severe threat to your business. After all, via SIM swapping bad actors can take over your end user’s account and perform unauthorized transactions or extract sensitive information.
What can attackers achieve with mobile app fraud?
User Data Theft
Sensitive information leakage is one of the most likely risks in mobile app fraud. Take app cloning fraud, for instance, which can be leveraged to extract sensitive information from your users who download a bogus app and share their credentials. Through app cloning, fraudsters repackage or wrap your app and inject malicious code to track your end user’s input on authentication or payment screens. Then they can sniff network traffic from your app and send it to their command & control (C&C) servers.
SIM swap fraud can also be leveraged to steal sensitive information from your end users. By taking over their phone numbers, attackers can intercept all messages containing OTP or tokens for authenticating your app.
Abuse of Restricted Functionalities
Accessing premium or privileged content
Imagine your business offers some premium content for free via your app for end users who live in a particular region or location. Other users living outside that region would have to pay to access it. Fraudsters might try to cheat this system by spoofing their location. And so without any protection they’d be able to unlock premium content without needing to pay, denying you potential revenue.
Then there are the softer initial results of fraud that can grow over time to have a really negative impact further down the line. Device spoofing as we’ve covered is where players use emulators to gain an unfair advantage over those playing your mobile game the way you intended it to be played. This activity can lead to a resentful environment and increasing levels of churn among your loyal players, which will contribute to drop in your revenues.
Prevention and Mitigation
Secure Development
Prohibit the use of VPNs and verify whether the location has been simulated
Fraudsters often use VPNs or proxy servers located in other regions to fool location checking systems. They also use location spoofing apps to send fake or simulated location data to the system. Fortunately, preventing location spoofing fraud isn’t as difficult as you might imagine. Blocking the usage of VPN services or proxy servers is effective. And both iOS and Android provide APIs that you can use to verify if the current device location is mocked or simulated.
Implement MFA and device binding
The last few years have seen all of us walking a delicate tightrope between convenience and security. One such example is the ability to authenticate your app using your own phone number without having to create a new account with your e-mail account. But this convenience carries risk with it. SIM swap fraud targets these types of apps or systems.
To prevent SIM swap fraud, the emphasis should be on how your authentication system could be improved. For example, enabling multi-factor authentication such as one-time passcode apps (such as Google Authenticator), hardware tokens, and biometrics. Another option is to implement device binding - having a one device per account policy. So, in other words a successful authentication would require access to both the phone number and the tied device itself.
Secure Runtime Environment
Block virtualized environments
Dynamic repackaging and device spoofing rely on software-based execution environments, known as virtualized environments (which we’ve also covered in this guide.) And location spoofing fraud is often performed via spoofed or non-authentic devices. To protect your app against these attacks, you should make sure that you use a security solution that’s capable of checking for and blocking any attempt to run it in such environments.
Application Integrity and Anti-Tampering
Implement tamper proofing controls
Fraudsters will often attempt to modify and repackage your application and then distribute it publicly. There’s a chance that your end users may find this bogus version of your app and download it. And then they’d enter their credentials in this app - sensitive information that attackers can steal. This is one of the most important reasons for you to equip your application with a security solution that contains an anti-tampering mechanism to prevent modification. For example, one that can verify the checksum of the contents inside your application binary at runtime.