Enabling Safe IoT Devices with Mobile App Security

Smart devices are increasingly targeted by successful cyberattacks because of their ability to capture valuable, sensitive data and the inherent scalability of the attacks. This has led to an estimated global annual cybercrime cost of EUR 5.5 trillion as reported by the European Cybersecurity Act. As a consequence of the increasing cost and frequency of smart device attacks, policy makers have increased their attention on IoT cybersecurity issuing guidelines and regulations to improve security.

Addressing the cybersecurity risks of IoT devices is challenging since their attack surface is quite wide, ranging from the device itself, to communication channels, and application software of which mobile apps are a relevant component to configure, control, and monitor remotely. Additionally, the scarcity of industry-wide security standards and harmonized rules and the necessity of balancing cost-efficient security practices with consumer’s experience add complexity to the topic.

This blog will focus specifically on mobile app security for IoT devices by addressing regulatory requirements outlined by the Cyber Resilience Act (CRA).

Takeaways

• IoT device vulnerabilities and mobile app security are interconnected as shown by some recent incidents reported in the news
• The Cyber Resilience Act (CRA) addresses cybersecurity of IoT devices with implications on mobile app security.
• Before market release, the CRA mandates "security by default" for IoT devices. Manufacturers must self-assess security for non-critical products, while critical ones require third-party testing.
• Mobile app security testing as well as threat monitoring help fulfill some of the key requirements of the CRA by addressing earlier in the development lifecycle vulnerabilities in mobile apps and SDKs and by maintaining a post-release surveillance on the evolving IoT threat landscape

The hidden risk of IoT devices: Vulnerable mobile apps

Recent news highlights a troubling trend: increasing security vulnerabilities within the mobile applications used to manage smart devices. These vulnerabilities often align with the OWASP Mobile Top 10, a recognized industry standard for common mobile security risks.

For example, flaws in improper credential management (OWASP M1), such as hardcoded login details within a smart lock mobile application, could grant unauthorized access to a user's home. Attackers exploiting such vulnerabilities could potentially unlock doors remotely, compromising the physical security of the residence.

Furthermore, insecure communication (OWASP M5) and insufficient cryptography (OWASP M10) within smart car mobile apps could expose the communication channels between a user's phone and the vehicle. This could allow malicious actors to intercept signals and potentially unlock or even start a car remotely, posing a significant security risk.

The issue extends beyond traditionally high-value targets like doors and cars. Smart home devices with seemingly lower security profiles, such as smart pet feeders, can also be compromised. Insecure communication, coupled with a lack of binary protection, (OWASP M7) could create vulnerabilities in the smart pet feeder app that attackers could exploit. This could allow unauthorized access to the feeder’s camera, potentially enabling the subversion of the device's functionality for unintended purposes, such as surveillance.

What is the Cyber Resilience Act?

In response to the alarming vulnerabilities exposed in the mobile applications controlling IoT devices (such as the ones discussed in the previous section), the European Union has taken a significant step towards fortifying security of IoT devices with the introduction of the Cyber Resilience Act. This legislation tackles the growing threat of IoT cyberattacks by establishing strict cybersecurity requirements for a wide range of products.

The CRA applies to any product with digital elements, encompassing hardware with embedded software, standalone software, and even mobile applications. Manufacturers are now obligated to prioritize security throughout a product's life cycle. This means designing, developing, and producing these products with robust cybersecurity measures in place to minimize vulnerabilities and ensure ongoing protection.

To demonstrate compliance with the CRA, manufacturers need to conduct security assessments. Critical products, outlined in a specific annex, require a third-party to verify the assessment. A successful assessment allows manufacturers to obtain the CE (Conformité Européenne) marking, signifying the product's eligibility for the EU market.

Non-compliance with the CRA carries hefty consequences. Market surveillance authorities have the power to impose significant fines, reaching up to €15 million or a hefty percentage of a company's global revenue. Additionally, authorities can order corrective actions, forcing manufacturers to address security risks or even remove non-compliant products from the market entirely.

Impact on Mobile App Security

Building upon the foundation established by the CRA, the impact on mobile app security for the IoT landscape is poised to be revolutionary. This groundbreaking legislation establishes a robust framework with significant implications for mobile app publishers developing applications that interact with connected devices.

A key aspect of the CRA lies in its focus on proactive security. As a result, mobile app publishers will be required to conduct thorough risk assessments before launching apps that manage IoT devices. This means proactively identifying potential vulnerabilities and implementing robust security measures to address them. Worth noting, there is a 36-month grace period for existing EU products launched prior to CRA going into effect; while it is a good idea to adhere to the CRA, these products do not need to be modified unless they undergo significant changes. This aligns with the principle that new laws can't be applied retroactively.

The CRA essentially mandates some key mobile app security practices to safeguard IoT mobile apps, such as:

• Mobile app security testing: App publishers need to leverage rigorous mobile app security testing methodologies to uncover vulnerabilities, and fix them, before their apps go live. This proactive approach minimizes the window of opportunity for attackers to exploit weaknesses.
• Vulnerability management & Post-market surveillance: The focus on security doesn't end with launch. The CRA mandates ongoing vigilance. App publishers are responsible for implementing vulnerability management processes to identify new threats emerging in the field. This includes real-time threat monitoring to stay ahead of evolving cyberattacks.

By mandating these comprehensive security measures, the CRA will significantly elevate the baseline security posture of mobile apps interacting with IoT devices in the EU. This will translate to a safer digital environment for consumers and businesses.

Mobile app publishers operating within the EU should adapt their development processes to prioritize security from the beginning of the product design. However, the long-term benefits are undeniable – a more secure app ecosystem fosters trust and protects users from the ever-growing threats that might impact the smart devices landscape.

How Guardsquare can help IoT mobile app developers

In light of the stricter security requirements imposed by the CRA, Guardsquare offers a solution to help mobile app publishers develop secure IoT mobile apps.

Mobile application protection provided by Guardsquare with Dexguard for Android and iXGuard for iOS fortifies IoT apps with a multi-layered defenses making it:

• Incredibly difficult to reverse engineer the app: reconstructing the app’s code becomes a lengthy and resource-intensive endeavor.
• Extremely complex to tamper with the app: malicious modifications are readily detected and stopped, safeguarding the app’s integrity.
• Highly challenging to scale up attacks: the combination of anti-reverse engineering and anti-tampering techniques make it harder to automate attacks.

AppSweep by Guardsquare is a mobile app security testing product, available in both free and Enterprise versions, that empowers developers to proactively identify vulnerabilities before the app's release, ensuring alignment with the CRA principles of security by default. AppSweep´s mobile-specific approach allows companies to achieve this goal without compromising the need for continuous and fast development of the app.

Once your app is live, ThreatCast by Guardsquare equips security teams and developers with real-time threat monitoring. This constant vigilance allows IoT mobile app developers to identify new security threats as they emerge. ThreatCast provides valuable insights to the development teams, enabling them to swiftly address and resolve vulnerabilities.

By leveraging both AppSweep and ThreatCast, IoT manufacturers can ensure the ongoing security of the IoT mobile apps they develop to manage their smart devices and comply with the CRA.

For more information on Guardsquare's mobile application security testing and threat monitoring solutions, connect with an expert today.