Appery.io, a leading app making platform with over 200,000 developers, has just launched a unique type of Security for apps that are built on its platform. In a partnership with Security startup MetaCert, the Security API is offered as a plug-in, making it easy for developers to protect end-users from phishing attacks.
In 2014, Symantec observed that 70 percent of social media scams were manually shared. These scams spread rapidly and are lucrative for cybercriminals because people are more likely to click something posted by a friend. Mobile was also ripe for attack, as many people only associate cyber threats with their PCs and neglect even basic security precautions on their smartphones. In 2014, Symantec found that 17 percent of all Android apps (nearly one million total) were actually malware in disguise.
While desktop browsers offer protection against phishing attacks by warning end-users of a potential threat, there is zero protection inside millions of apps that have browser-like capability. In order to display web content inside an app so users don’t have to close the app to open a browser, developers use what’s called a ‘WebView’. And to build hybrid apps that work across all mobile operating systems, developers must also use a WebView.
The lack of security inside apps with a WebView makes it easy for cybercriminals to make an attack on unsuspecting end-users. Even legitimate enterprise apps put end-users at risk. The spoofed websites are setup to either steal your personal credentials as soon as you type them, or worse, install malware, spyware or ransomware in the background and without your knowledge. Most apps don’t display the URL of websites, making phishing attacks on mobile even easier for attackers.
The MetaCert Security API is the first of its kind to address phishing attacks from inside the app. Developers can also use the Security API to block websites that are labeled as NSFW, helping companies to enforce content compliance policies.
To end-users, the added layer of protection is seamless. Apps with the Security plug-in check the reputation of web links in real time, providing an invisibly secure experience by blocking malicious links from loading inside the app.
If you look at the screen shots to the right you will see a good example of a malicious link inside an app. As you can see, it looks like a legitimate WhatsApp page being shared. In fact, this is a live phishing scam with the aim of stealing your login credentials. Even if you open the link inside a mobile browser you will be brought straight to the site without any warning. While desktop browsers offer protection against this type of attack, their mobile counterparts reason, offer no protection whatsoever.
None of the legacy companies are addressing this problem on the app-layer. And Google only announced their Safe Browser API for apps two weeks ago. Companies such as McAfee, Symantec, Cisco Security, Dell Security, Palo Alto Networks, Kaspersky and others, offer anti-virus apps and network-based filtering solutions.
Both network filtering and anti-virus apps are unable to detect malicious URLs inside apps.
App publishers want added protection for their end-users.
MetaCert launched the new service with Appmakr.com in January, a DIY platform that has seen over 2 million apps published to date. In February, 13.6% of all apps published on AppMakr subscribed to at least one of MetaCert’s two security services. Of those, 74% subscribed to both ‘malware & phishing’ protection as well as porn-blocking.
In March, 44% of all published apps subscribed to at least one security service. An of those, 87% subscribed to both. That’s an increase of 41%.
These figures tell us that app platforms can open a new revenue stream by offering developers with a security solution as a value added service. It also tells us that app publishers want added security for their end-users. The MetaCert API is extremely simple to integrate, taking platforms just a few hours to get up and running.
MetaCert offers developers 150 free API calls every month without any need for a contract. This helps developers to see the value of the service before paying for it.