Spear phishing and how to secure a WebView

April 7, 2015
Comment

While most security reports in the media today talk about mobile malware, one security threat that’s not getting as much attention as it deserves is Phishing.

Phishing spreads a wide net typically through mass mailing emails that appear to be from reputable sources but actually contain links to bogus websites or that include attachments that contain viruses. On mobile, a phishing attack can lead to the installation of malware, spyware and ransomware in the background and without your knowledge.

Unlike phishing attacks, spear phishing doesn’t rely on volume. Instead, it relies on targeting specific, high profile targets in an effort to steal their personal information. Celebrities had their compromising photos revealed stored on Apple’s iCloud service not by attacking the technology (although Apple’s password practices at the time were a contributing cause), but by using the celebrities fame and publicity to guess their weak passwords. And it’s not just celebrities – executives in companies with more that 2,500 employees have a 1 in 2.3 chance of becoming the target of a spear phishing attack.

While most consumers are aware of the potential risk of following links in an email, they’re not aware of the potential threat behind links inside their apps. Here’s why phishing attacks inside apps with an insecure WebView is going to be a big problem for mobile consumers very soon:

  1. Mobile screens are small, making it easier to spoof websites.
  2. Apps use a WebView to display webpages so consumers don’t have to close the app to open a native browser. There are no security products or services designed for WebView – that is, with the exception of MetaCert’s Security API and more recently, Google’s Safe Browsing API.
  3. With a few lines of code on a webpage a cybercriminal can easily steal all the data on your device as soon as you visit the page. This is far more dangerous than similar attacks aimed at desktop users.
  4. Consumers trust what they see inside apps, especially if they’re branded and well known apps. This is a problem because it’s not the app that’s a threat. It’s the web pages that they visit using the app.
  5. Consumers are more likely to quickly log into websites on their mobile – making it more likely for them to fall victim to a phishing attack in the future.

The only way to stop a phishing attack on the app-layer before it’s too late, is to integrate the MetaCert Security API service. This service makes it easy for developers to add a thin layer of security to their app. It checks the legitimacy of websites in real time to make sure they’re not labeled as malicious.