Mobile security should be different from PCs
2016.06.30.
Choi Myoung Kyu, CEO of Lockin Company
We are now in the heyday of mobile. Since some time ago, mobile has been proudly showing off its new and amazing technology. Mobile is now changing our lives, such as controlling all the systems in our homes through mobile. However, the security technology that safely implements this has been stuck in the PC era and is standing still.
The importance of mobile began to be highlighted with the advent of smartphones. When smartphones first appeared, people began calling them “PCs in your hand.” Naturally, there was a belief that if they were secured in the same way as they were on PCs, they would be able to use this amazing technology safely.
Since the explosion of PC-like end devices, hackers have been checking various program source codes through reverse engineering. In addition, methods of duplicating or maliciously manipulating this have been used. And security has used various vaccines to prevent this, or management systems and obfuscation tools to scatter the source code and data flow structure, making analysis difficult. At the time, such technologies played a central role in effectively preventing hacking.
This method raised numerous problems as PCs and other operating systems (OS) and applications (apps) for various functions emerged as core mobile functions. Hacking targeting new OSs and apps emerged. Since existing methods such as vaccines or management systems are means of protecting the entire device, they are inevitably insufficient in terms of security to protect newly introduced apps.
The fact that users themselves obtained device administrator rights through rooting or jailbreaking, making it impossible for apps to run in a safe environment, was also a factor that broke down the existing security system and gave rise to new hacking.
Ultimately, these problems enable the analysis, duplication, and forgery/alteration of the app's core design, the source code. This is a factor that creates various problems such as repackaging or memory modification.
Recently, there have been attacks that disguise themselves as Android apps and install themselves on users' smartphones, completely taking over internal permissions. More sophisticated and sophisticated attacks occur, such as invading mobile devices with malicious adware in the form of advertisements and remotely controlling the smartphones. On the other hand, hacking tools that can easily hack have appeared, and many people are attacking apps. Apple iOS has also suffered numerous damages from such app hacking.
Last year, in China, an iPhone app developed by downloading XCODE (Apple's development tool) infected with malware from an unofficial website was distributed. There was an attack in which personal information such as Apple IDs and passwords and access rights of approximately 100 million people were stolen.
In order to respond to attacks that make it easy for anyone to hack mobile devices and the methods are becoming more sophisticated, security must be considered according to the mobile OS from the app development stage. A dedicated organization must be formed to analyze structural vulnerabilities and respond to them, and a defense system must be established with an organization. In addition, education and research on security must be continuously conducted, expertise must be strengthened, and vulnerabilities must be improved.
Due to the short life cycle of mobile apps, it is often difficult to form a dedicated team in charge of security due to technical and time constraints. In such cases, it is recommended to introduce a specialized solution. It not only protects the source code of the app, but also provides various functions to prepare for all attacks targeting each app, such as forgery prevention, memory protection, and game engine protection. It has the advantage of being able to protect apps comprehensively.
In addition, it is also necessary to continuously strengthen mobile security technology based on government-level support. Current policies on cyber risks are focused on government-level response measures rather than prevention. Since such measures are difficult to respond to and manage potential threats, a stable threat management system for mobile security must be established continuously in advance.
As time passes, the importance of mobile apps increases. Attacks targeting them also become more intelligent. If we continuously analyze mobile apps and systematize and prepare a security system to prepare for attacks, we can create a safer and more convenient mobile era.
