In-App Purchases: The Hacker’s Playground


Photo by CC user Blogtrepreneur on Flickr.

The prevalence of smartphones and tablet computing devices has catalyzed an exploding demand for mobile device apps, which in turn has opened the door for hackers to use those apps as tools to steal the device owner’s personal information. Unlike company information systems networks that are protected by firewalls and other cyber security defenses, a mobile device is a standalone island that contains a rich trove of user information with little or no protection from cyberattacks. Hackers that access a mobile device can then use their access to break into company networks that device owners are authorized to use.

Sandjacking” is one of the newer mobile device hacking techniques, in which a cyber thief overwrites a legitimate mobile device app with a rogue version of that app. The rogue version gives the thief access to personal data stored on the device. Mobile device operating software developers have slowly corrected the flaws that allowed sandjacking to occur, but other more nefarious hacking methods are continuing, and some of those methods give hackers full control of a compromised mobile device.

Mobile device users are most at risk of opening the door for hackers when they use their devices to make in-app purchases. Those purchases include consumables such as game currency or exports for new file formats, non-consumables such as upgraded versions of apps that exclude ads, and auto- or non-renewing subscriptions for periodicals or passes to specific events. Every in-app purchase that requires a mobile device user to share personal information exposes that information to cyberthieves who are waiting to exploit it and to infect the user’s mobile device.

Companies are at a crossroads when it comes to protecting their networks from unauthorized incursions by infected mobile devices. They allow employees to use their own personal devices to access company networks, but they need to control how employees use those devices and what type of apps are installed on them. A 4-part strategy can reduce the risk of a cyberattack that is launched through a mobile device.

  1. Authorize app downloads only from trusted sources, primarily Google or Apple iTunes app stores. If employees have access to very sensitive company information, the company can add an additional layer of protection by only allowing downloads of apps that are specifically authorized by an IT manager. Apps from authorized sources are more likely to include layers of protection that block hackers’ attempts to compromise personal information.
  1. Control app permissions. Many users set their mobile devices to download app updates automatically. Even if the user prevented the app from accessing stored photos or other information on a phone, an update can alter those permissions. Automatic updates and permissions on mobile devices should be strictly limited.
  1. Use artificial intelligence (AI) systems to evaluate app size against functionality. AI can flag an app as malware by comparing the app’s function with its size. A simple app, such as a flashlight that takes up more than 1 megabyte of storage for example, is a potential cyberattack risk.
  1. Mobile device management and employee education. Employees should be trained to understand risks associated with mobile device GPS, Bluetooth, camera, and microphone capabilities and how a malicious app can use them to compromise information. These capabilities are the ultimate playground tools that hackers rely on to launch cyberattacks on companies through mobile devices.

As a backstop, companies can procure cyber risk insurance to cover their financial losses when they fall prey to a mobile device hacker. Simultaneously, individual mobile device users should remain wary of information that they share when they make in-app purchases, and they should routinely check their devices to confirm that an in-app purchase has not altered any app permissions and that all information that is stored in the device is secure.