Phishing Attacks Against Android Instant Apps
March 7th, 2017 | By Camilo Reyes | 4 min read
Google announced Instant Apps at last year's Google I/O developer conference. Instant Apps are native apps that behave just like a web app. These kinds of apps will be available for the Android platform. Instant Apps will soon ship, as Google works with a small number of developers before it hits the wild.
With an Instant App, you tap on a URL, you get dropped right into the app without any installs. This takes Android to new heights, blurring the separation between web and native. Users will not experience the usual delays one gets with installing an Android app. The good news is you get all the benefits from a native app plus the same conveniences from a web app.
All this sounds exciting, but what are the implications? From a user's point of view, you navigate from a web link right into an Instant App without knowing the difference. Can an attacker somehow hijack the URL link and scam your customers?
A phishing attack is one when the attacker mimics a trusted identity. An Instant App, for example, has a look and feel that is an identifiable source of trust for users. The attack is successful when it fools the user into thinking they are in your app. By mimicking app behavior, an attacker gains the same level of trust your Instant App has.
A phishing attack leverages trust to gain information. It can gain account details such as username and password. The attacker can fool the user to get valuable information such as access to a bank account. In most scams, the attacker's misrepresentation is identifiable. With a phishing attack, the lines are blurry, the user does not know the difference. The user gets tricked into thinking that your app is not secure and thus responsible for damages.
A successful phishing attack can haunt the user for many years. When it leads to identity theft, the damage is never resolved. The information stolen gets reused at the attacker's whim. The trusted source of identity, such as your Instant App can suffer a loss of reputation. If you click on a link that leads to a reputable bank, for example, can you trust it? A phishing attack can damage your reputation and continue to harass your customers.
The question is, what can you do about this? When the user taps on a link, how would they know this is not a scam? How can your Instant App gain the trust of your customers and maintain the status quo?
Scammers will often target user account details. This means asking for a credit card number, password or PIN, for example. The scam can trick users into thinking this will reactive their account.
Make sure your Instant App is as user-friendly as possible. Let your users know you will never ask for such details. Instant Apps can store user data on the server. Once a user account is active there is no need to ask for details each time they visit the app.
Make sure features never need user secrets to work. Even partial secrets can tip a scammer since they can go look up user data through public records.
It is important to let users know where they are. Even though Instant Apps do not run inside the browser, it may yet show where it came from. If your Instant App is part of a flow that lands back in the browser, make sure users know this. A general rule is the less you try to hide from users the better. It is imperative that the app is as transparent as possible to avoid phishing attacks.
Make sure sensitive data remains in session and does not rely on query string data. Hiding the URL in the link to prevent tampering is not secure anyway.
Scammers will use every attempt you make to obfuscate the app against you. Make sure the user has the opportunity to know if they are being fooled or not.
Consider implementing identity checks within the app to let users know where they are. A secret image, for example, can be effective at thwarting an attack. Make sure the user's identity is recognizable to the end user. Use what you already know about your users to let them know they are safe.
Multi-factor authentication, for example, is an effective safeguard for high-value information. With Multi-factor, use their physical Android device to send a one-time passcode.
Make sure you use what you already know about your users, and what they have to keep them safe.
Instant Apps will without a doubt change the way users perceive links on the Internet. With convenience, you get more vectors in which attackers can victimize customers. It is important to be on the lookout for the safety of your customers and never let your guard down.
Scammers are on the prowl and looking for new ways to gain access to customer's data. A phishing attack is good at using your bad security practices and fooling customers.
Customers who trust your Instant App also expect that you never break that trust. Never asking for secrets, being transparent and placing safeguards will aid with this. The goal is to keep customers happy and safe.