Sunday, December 1, 2024

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Creators Network
    • Latest Posts
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Data Security Security Bloggers Network 

Home » Cybersecurity » Data Security » Strategies to Stop Credential Stuffing Attacks on Mobile Apps

SBN

Strategies to Stop Credential Stuffing Attacks on Mobile Apps

by George McGregor on November 18, 2024

Trojan horse image

 

Identity-based and social engineering attacks are surging in 2024. Stolen credentials give hackers immediate access and control… and an instant path to stealing data and orchestrating ransomware attacks. Credential stuffing attacks are the method of choice for hackers, so what are the steps you need to take to prevent them? 

This blog lays out the steps that mobile developers and security professionals must take to stop credential stuffing attacks and better protect mobile apps… and APIs.

Newsletter
AWS Hub
Predict 2025

What is Credential Stuffing?

Credential stuffing usually uses stolen login and password data to access user accounts. This data may be obtained by social engineering methods such as convincing users to share protected data, by direct exfiltration using malware tools, or by purchasing them on the dark web. In essence they are brute force attacks that try out username/password pairs until some of the combinations work. 

In fact, attackers don’t even need leaked, compromised, or stolen credentials. If an attacker can work out the format of username/password pairs used by legitimate users of the app, and acquire the address of the server or API which is used, all they need is to build an automated tool to send credential guesses to the targeted server. “Password spraying” is a term used for attacks which try common passwords across multiple accounts in an effort to find a combination that works. 

OWASP describes Credential Stuffing as “the automated injection of breached username/password pairs to fraudulently gain access to user accounts.”

With a match achieved, the attacker can then execute the next step of the attack, performing an account takeover on the victim’s account.

Some organizations try to stop credential stuffing attacks at the network level, hoping to spot an attacker sending malicious requests to the server. But attacks are getting more sophisticated and attackers rotate their IP addresses and Device IDs, and they use fake devices, emulators and more to hide their tracks. Network level protections are not an effective way to stop credential stuffing attacks.

Anatomy of a Mobile Credential Stuffing Attack

Sophisticated hackers build attacks in stages, and here’s how credential stuffing or Account Takeover (ATO) attacks typically work in mobile apps:

1. Obtaining Credentials: Attackers acquire large lists of username/password combinations from previous data breaches or the dark web. These credentials may not be from the targeted mobile app itself, but from other breached services. An attacker may not even need passwords: email addresses and password guesses may be enough.

2. Automated Login Attempts: Attackers use automated tools, bots, or scripts to attempt logins on the mobile app’s authentication endpoints. These tools can try thousands of login attempts per second. All the information needed to carry out the attack can be found inside the mobile app itself.

3. Bypassing Security Measures: The basic approach can be turned into advanced attacks by using techniques to bypass security measures such as:

  • Distributing login attempts across multiple IP addresses
  • Mimicking legitimate user behavior
  • Using device emulators or simulators to appear as genuine mobile devices

4. Successful Account Access: Even with a low success rate (often less than 1%), the sheer volume of attempts can lead to a handy collection of compromised accounts for the attacker.

5. Exploiting API Vulnerabilities: Attackers may also extract API endpoints, API keys and server information from the mobile app itself. This information is used to direct the automated login attempts to the correct servers. Well known API vulnerabilities such as
BOLA
can be tested to see if different users’ data can be accessed. 

6. Account Takeover: Once access is gained, attackers can:

  • Extract personal information
  • Make unauthorized transactions
  • Use the account for further malicious activities including ransomware attacks

7. Scaling the Attack: Successful credentials are often used to attempt logins on other services, exploiting password reuse.

Credential stuffing attacks on mobile apps are particularly dangerous because they can exploit the app’s own API and authentication mechanisms, making them harder to detect and prevent compared to web-based attacks.

How to Prevent Mobile Credential Stuffing and Password Spraying Attacks

Lets break down the types of defenses which must be on your plan of action. The steps to take are as follows, effectively in order of importance:

  1. User Education
  2. Take Steps to Protect Passwords
  3. Continuous Monitoring
  4. Implement Zero Trust Run Time Protection

The first two alone do not provide adequate defense and the third is only useful if there is an ability to act immediately on intelligence gathered. Only the fourth on the list is truly effective in blocking attacks. We will look closer in the following sections. 

1. User Education

First on our list is to take every opportunity to educate your users about the risks of bad password hygiene including: 

  • The risks of password reuse
  • Using password managers
  • Encouraging the use of MFA on their accounts
  • How to recognize phishing attempts

2. Take Steps to Protect Passwords

Next on our list is to take care to protect passwords everywhere they are stored and communicated. This will include: 

  • Implement strong authentication measures (e.g., MFA, biometrics)
  • Use encryption for stored credentials and API information. Best practice for mobile banking apps is to use AES-256 encryption to encrypt all usernames/passwords stored inside the app
  • Use secure, HTTP-only cookies for session management
  • Make sure the channels which mobile apps use to communicate with backend systems and APIs are encrypted and pinned in order to prevent MitM attacks from stealing passwords or derailing MFA. 

3. Continuous Monitoring

You can’t protect against what you cannot see. You need visibility to threats against your apps in real time so that you can track new and evolving threats, and immediately be alerted when credentials are abused and see brute force attacks as they unfold.

You should also monitor dark web forums for leaked credentials associated with your user base to be ahead of the hackers game.

By gaining this visibility you will be able to see threats in some cases before they become an issue. However it is essential to be able to act immediately also. If not, then the data you have is worthless. It is also essential to think about service continuity: how do you continue to provide service to genuine customers when issues arise. You must be able to immediately isolate and block problematic accounts and devices and you should be able to immediately rotate API Keys and other secrets when they need to be changed. Your security team should also be able to immediately update security policies as they see new threats evolve. 

4. Implement Zero Trust Run Time Protection 

Making sure passwords are protected, and having a good Identity and Access Management (IAM) solution in place are essential first steps, but these are still not sufficient to prevent credentials being stolen and weaponized. You need to put in place transaction level validation at run time to prevent any credential abuse as it happens. Generally this means deploying app attestation and mobile Runtime Application Self Protection (RASP). Here are the protections such a solution can bring: 

  • Permit Only Trusted Mobile Apps to Connect to Your Backend Servers and APIs

Attackers modify apps and create scripts and fake apps to launch attacks. App attestation is a run time technique used to provide proof that an app is truly authentic and unmodified. The running app must prove itself to be genuine through a sequence of integrity measurements and the result of this can be communicated to the backend servers in every request. The server then inspects the token, and can immediately block any traffic from anything other than genuine apps.

  • Prevent Weaponization of Apps By Emulators, Simulators, and Debugging Tools

Attackers can also manipulate the client environment at runtime to interfere with the operation of the app. The local client should never be trusted and continuously checked for the presence of malicious tools such as Frida or mitmproxy. Similarly an effective way to prevent a mobile credential stuffing attack in Android and iOS apps is to prevent the app from running on emulators in virtualized environments. Again, the device attestation should take place continuously at run time and the status can be incorporated in requests to the backend to allow easy and immediate elimination of problematic requests.

  • Protect Your Own and Third-party APIs 

Most apps use a number of APIs and often the API endpoints and API keys are visible inside the logic of the app. Attackers are good at finding the server address, server passwords and API keys needed to launch a credential stuffing attack. You must get API keys and secrets out of your app code by using a solution which provides dynamic secrets protection and management, delivering API keys to apps only if they pass attestation checks. This type of solution also allows immediate rotation of secrets and certificates when they need to be updated.

  • Block Man-in-the- Middle Attacks

Hackers can carry out MitM attacks on mobile apps and devices to extract credentials and keys, even if traffic is encrypted. Certificate pinning is your best defense against MitM attacks and a solution that implements dynamic pinning can make management easy and ensure service continuity. 

How Approov Blocks Credential Stuffing

Authenticating both the user and the app is essential for securing back-end services and preventing brute force attacks from bots or scripts. This, along with two-factor authentication, provides a robust defense against scripted attacks. Approov Mobile Security performs an ongoing, deep inspection of mobile apps and the devices they are running upon, and based on this guarantees the authenticity of requests to backend APIs and services. Read the felyx customer testimonial about how they used Approov to stop credential stuffing attacks 

Approov ensures that only genuine mobile app instances, running in safe environments, can use your APIs and blocks any credential stuffing attacks by scripts, bots, modified apps and fake apps. Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JSON Web Tokens (JWT) Approov tokens. Approov JWT tokens are signed with a custom secret only known to the Approov cloud service and the backend API. The secret is never contained within the app itself, so it cannot be extracted. App registration can be immediately added and revoked from the Approov service, allowing tight control of which app versions can access your API. 

Approov detects a full range of potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers can specify which policies should be enforced. Changes to security policies roll out immediately to active apps without the need to update the apps.

Approov also provides full protection against Man-in-the-Middle attacks by providing full pinning and dynamic certificate management to ensure service continuity. In order to allow dynamic and rapid reaction to changing threats, policies can be modified and certificates and pins can be updated over-the-air without the need to update and roll out new versions of an application.

Conclusion 

Here is a quote from one of our customers: “Before integrating Approov, we were concerned about the risk of credential stuffing attacks on our shared e-moped platform. We realised that we needed an out-of-the-box security solution that enabled us to focus our resources and productivity on developing our core product. Approov provided the perfect solution to our problem.” – Arthur Bloemen, Head of Product and Technology at felyx.

Approov are experts on mobile app and API security. If you need protection against credential stuffing or any other threat contact us.

*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by George McGregor. Read the original post at: https://blog.approov.io/how-to-prevent-credential-stuffing-attacks-on-mobile-apps

November 18, 2024November 18, 2024 George McGregor 0 Comments account takeover, API Security - Analysis, News and Insights, credential stuffing, Data Security, mobile app development, mobile app security, zero trust
  • ← Transforming Security with Automated Secrets Rotation
  • AppSOC and Databricks Integration: Securing AI Innovation →

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Mobility Field Day

Upcoming Webinars

Hacker Tactic: Avoid Blind Spots with Your Windows Event Logs
Simplifying Network Access: Secure Modern Connectivity with Tailscale
Staying Ahead: Top Internet Trends Shaping Networking and Security
DevSecOps “Friends”, Webinar Series: The One with Platform Engineering (and the Happy Developers)
Managing Dependencies at Enterprise Scale

Podcast

Listen to all of our podcasts

Press Releases

GoPlus's Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Subscribe to our Newsletters

ThreatLocker

Most Read on the Boulevard

Interpol, African Nations Arrest 1,006 in Sweeping ‘Operation Serengeti’
Protecting Web-Based Work: Connecting People, Web Browsers and Security
Exabeam Allies With Wiz to Integrate CNAPP With SIEM Platform

Industry Spotlight

QNAP’s Buggy Security Fix Causes Chaos
Application Security Cybersecurity Data Privacy Data Security DevOps Endpoint Featured Governance, Risk & Compliance Humor Incident Response Industry Spotlight IoT & ICS Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 

QNAP’s Buggy Security Fix Causes Chaos

November 26, 2024 Richi Jennings | Nov 26 0
U.S. Agencies Seize Four North Korean IT Worker Scam Websites
Cloud Security Cybersecurity Data Security DevOps Endpoint Featured Identity & Access Industry Spotlight Network Security News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence 

U.S. Agencies Seize Four North Korean IT Worker Scam Websites

November 22, 2024 Jeffrey Burt | Nov 22 0
Here’s Yet Another D-Link RCE That Won’t be Fixed
Application Security Cyberlaw Cybersecurity Data Privacy Data Security Featured Governance, Risk & Compliance Humor Incident Response Industry Spotlight IoT & ICS Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches Vulnerabilities 

Here’s Yet Another D-Link RCE That Won’t be Fixed

November 21, 2024 Richi Jennings | Nov 21 0

Top Stories

Interpol, African Nations Arrest 1,006 in Sweeping ‘Operation Serengeti’
Cloud Security Cybersecurity Data Security Featured Identity & Access Incident Response Malware Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threat Intelligence Threats & Breaches 

Interpol, African Nations Arrest 1,006 in Sweeping ‘Operation Serengeti’

November 27, 2024 Jeffrey Burt | 4 days ago 0
Exabeam Allies With Wiz to Integrate CNAPP With SIEM Platform
Application Security Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X 

Exabeam Allies With Wiz to Integrate CNAPP With SIEM Platform

November 27, 2024 Michael Vizard | 4 days ago 0
Supply Chain Ransomware Attack Hits Starbucks, UK Grocers
Cloud Security Cybersecurity Data Security Featured Identity & Access Incident Response Malware Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches 

Supply Chain Ransomware Attack Hits Starbucks, UK Grocers

November 26, 2024 Jeffrey Burt | Nov 26 0

Security Humor

Randall Munroe’s XKCD ‘D Combinatorics’

Randall Munroe’s XKCD ‘D Combinatorics’

Download Free eBook

The State of Cloud Native Security 2020

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Creators Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2024 Techstrong Group Inc. All rights reserved.
×