In the public imagination, hacking is inevitably a crime. Poorly socialized hackers lurk in basements across the globe, just itching to access a bank account or dream up a new Nigerian prince to steal identities. People more familiar with computer culture know that hacking, like so many other things, exists on a continuum.
Decades ago, children’s cartoons made detecting the good and bad guys easy. The nice guys wore a white hat, while the good guys donned a black one. The terms white hat, gray hat, and black hat are shorthand for the degree to which a hacker helps people or participates in a criminal hacking culture.
- Black hat hackers are criminals eager to hack into apps and steal information.
- White hat hackers are researchers and security experts who use their security expertise to protect people and systems.
- Gray hat hackers occupy a more complex middle ground.
But as with all things in the increasingly layered world of hacking and mobile app development, the image of hackers is more nuanced than it appears at first.
Here’s what you need to know about each type of hacker — and how they can help or hurt your mobile app.
Black Hat Hackers: An Objective Threat to Mobile Apps
Knowing that someone is a black hat hacker tells you little about what specifically they intend to do, though. Black hat hackers come in as many varieties as there are crimes. Some are highly skilled coders, who use their experience to gain access to passwords and hack consumer data. Others are opportunists, who use behavioral engineering to convince consumers to give away sensitive data.
Understanding how black hat hackers work can help you protect your app from them. Some of the many goals black hat hackers may set out to achieve include:
Access to Private Information
Some hackers will take any information they can get — whether it’s your users’ private health care data, or even the notes they make in your app. These hackers have one of two goals.
Sometimes they have a personal vendetta. They want information on a specific person or entity, so that they can use that information later. These hackers might be ex-boyfriends and girlfriends (or the people they hire), or others with a personal ax to grind. Occasionally a black hat hacker seeks information about a user or group of users in an attempt to harm an entity. For instance, a hacker might leak consumer data from a company after that company fires them, in an attempt to undermine the company’s reputation.
In most cases, the goal is purely financial. Information is power in a data-driven world. Someone, somewhere will pay for just about anything, ranging from a list of passwords to an idea of users’ deepest fears. Hackers who can get this information stand to earn a tidy profit.
Perhaps the most straightforward — but also one of the most difficult — hack is one that allows a user to transfer money or credit from one person’s account to another’s. If you collect financial or credit card data on your app, or if your app offers access to bank accounts, your users are vulnerable to black hat hackers looking to seamlessly transfer their money into someone else’s account.
Use of Corporate Property and Secrets
Money isn’t the only valuable commodity in an economy driven by services. Corporate intellectual property — proprietary lines of code, marketing plans, even financial information — is valuable to competitors, consumers, government entities, and a host of other actors. By accessing corporate information, a hacker may be able to start their own competitive company.
Competitors may be able to steal what makes your business unique. Consumers gain a way to access data for free. The options are virtually limitless. If the app you develop isn’t protected, you’re endangering the business for which you developed it.
Consumer, Corporate, and Government Finance Information
Most hacking is, to some degree or another, about money. Black hat hackers target consumer, government, and corporate financial data in myriad ways. They may hack even a completely unrelated app to gain access to information that can help them access another app.
For instance, by learning a user’s mother’s maiden name, a hacker might be able to access her bank account. And if you operate an app that maintains any sort of financial data, even if it’s just credit card records, your app could be hacked, exposing government, corporate, or consumer data.
The wealthier the people who use your app are, the more valuable their data is. So apps that target governments and corporations are of a higher value, both because they offer more valuable financial data, and because hackers may be able to sell this information.
Black hat hackers don’t limit themselves to a specific set of goals. They will gleefully seek out any and all information that offers them any value.
Some other reasons black hat hackers might hack an app include:
- To support crime in the physical world. For example, by gaining access to a user’s address, a hacker can rob them or help someone who wants to rob them.
- Blackmail. Reputation is everything. Revenge porn, devastating secrets, and other embarrassing facts of life can be used for profit — or just to wreck someone’s life.
- Ransom. Some hackers seek access to a customer’s information, then offer to sell it back to the customer for a price.
- Identity theft. Hackers can steal identities and disguise as someone else for other crimes.
- Pure curiosity. Some hackers just want to see what they can get away with. Once they know the depth of their own skill, they may then begin shopping ways to profit from it.
White Hat Hackers: The Good Guys — But With a Lot of Rules
White hat hackers are generally sticklers for the rules. That’s especially true when they’re hired for security purposes. Some have law enforcement or military backgrounds, and received their training for these roles.
So they’re big sticklers for the rules. White hat hackers will not hack your competition, use stolen code, or break the law in other ways — at least not knowingly. For businesses that want to keep a leg up on the competition, this can feel stifling.
Yet having a white hat hacker on your team is one of the best ways to protect your business without breaking the law. Some of the many roles white hat hackers can play include:
- Monitoring traffic into and out of your app to look for signs of hacking.
- Attempting to hack into your app using various and ever-evolving hacks. If your security expert can do it, so too can a black hat hacker. By continually exposing vulnerabilities, white hat hackers help you spot problems before they spin out of control.
- Developing and testing patches for security holes.
- Monitoring changes in how the competition does business. Sometimes a change in another app indicates a security hole that could affect your business as well.
Not all white hat hackers are exclusively white hat. Some are white hat in their professional lives, but spend their evenings on criminal endeavors — or trying to hack other enterprises just for fun. This means that you’ll need to be careful about whom you hire. The information they are hired to protect during the day could be a source of profit at night when they turn around and sell the information, or use it to hack your customers.
That doesn’t mean you have to be skeptical of all hackers, or even that the majority are bad. But it does mean that in a competitive market, the valuable skills you pay for might be even more valuable to someone else. Choose white hat hackers wisely — and know that a disgruntled former security worker might be your very worst enemy. So treat your staff well, pay them fairly, check their background, and establish clear policies that help you monitor for signs of trouble with your staff, contractors, or any other people you or the companies that hire you work with.
Gray Hat Hackers: A Mixed Bag
So what exactly do gray hat hackers do? It’s a mixed bag. The simplest, and perhaps least ethically questionable, version of gray hat hacking occurs when white hat hackers strike out on their own.
They attempt to hack into apps and other sources of data, then notify the business of leaks. In a modified version of this scheme, gray hat hackers notify
Some other versions of gray hat hacking include:
- Acting as a white hat hacker as part of a day job, but moonlighting as a black hat hacker.
- Illegally downloading code or other intellectual property with the intention of improving security.
- Breaking the law in an attempt to thwart criminals. For example, the group Anonymous sometimes targets criminals who abuse vulnerable people. While some classify this as black hat hacking, others view it as a gray hat hacking.
- Working with a company to improve security, but doing so by breaking into other companies’ data to learn about security holes.
Because the world of data hacking is complex, there’s significant disagreement about the difference between a gray hat and black hat hacker. This is especially true in the world of law enforcement, where behavior that seems perfectly reasonable to most people — such as hacking a company’s data, then notifying them of where the issue is — can land a hacker in jail. Developer should proceed with caution when using any hacking techniques, especially ethically and legally dubious gray hat approaches.
Other Hacker Types You Need to Know
Though gray, black and white hat hackers are probably the best known hacking styles in the world outside of hackers, in the hacking world they’re just the beginning. Knowing how hackers identify can help you spot potential problems, screen potential employees, and make decisions informed by how hackers actually work.
Some other types of hackers include:
- Script kiddies: These are beginning hackers, often kids or young adults, who are new to the hacking world. They have a basic idea of how computer coding works, but they can’t write their own code. Instead, they steal code from others, and use it to hack into devices or applications. They care little for ethics or the law, and don’t consider the effects of their actions, nor the quality of their work. Script kiddies are often just experimenting. They may not have nefarious intentions at all. In other cases, their intentions are clearly criminal, but they lack the skill to enact a complex plot. Crimes by script kiddies are crimes of opportunity. When they occur, however, they can cause extensive damage. That’s because script kiddies fail to understand much of the code they use, so they can disrupt an entire system even if their intention is only to gain access to a single piece of data.
- Green hat hackers: These are the slightly more grown up versions of script kiddies. They’re new to hacking, and may irritate their peers with myriad questions. But unlike their script kiddie peers, they don’t have a “watch it burn” approach. They care about quality hacking — whether white, black, or gray hat.
- Red hat hackers: Red hatters take ethical hacking very, very seriously — so seriously, in fact, that they’re willing to destroy the lives of any black hat hackers who cross their paths. Rather than blocking these hackers from a system or reporting them to authorities, red hat hackers take it upon themselves to shut down black hat hackers, and sometimes even enact revenge plots against them. Under the right circumstances, the tactics of red hat hackers can veer into black hat territory, and may even be illegal.
- Blue hat hackers: Blue hat hackers are black hat hackers with little experience or skill. Sometimes they’re seeking revenge due to a personal vendetta. Other times they’re doing what they can to access sensitive data. In the computer security world, blue hat hacker can also refer to hackers hired by consulting and security firms to look for and close security exploits. Microsoft hackers seeking to find and close security holes in Windows may also be dubbed blue hat hackers.
The world of hacking is complex, with its own culture, lexicon, and social norms. There’s a continuum from ethical and legal to unethical and illegal, and many hackers occupy many spots on this continuum throughout their careers.
If you feel overwhelmed by the number of hackers, the damage they can do, and the precautions you need to take against them, you’re not alone. And we can help. AppSolid offers the protection developers and large entities alike need. We take care of the security, freeing you to get back to business. Check out our industry-leading binary protection today!