Mobile App Security Threats & Best Practices for Developers
App Builder Appy Pie, April 12, 2018: The digital revolution that has taken over the world and is holding on to it, comes with its share of weaknesses and in the recent times we have been held for ransom by major security breaches & threats. In this volatile and insecure environment, mobile app security has evolved from being a fascinating feature to a dire necessity. We are using our mobile phones to accomplish almost everything in our daily lives, and for that reason a huge amount of personal, sometimes sensitive data is accessed from, and accessed via our mobile phones and the apps that we install on them.
As an organization that makes use of apps for its business or has an enterprise app for smooth functioning within the organization, you stand to suffer mammoth losses if your apps were to be breached and the loss will not just be of financial inclination, but also of the trust that millions of your users might have put in your app. It is for this reason that as an app owner or appreneur, you must keep security at a high priority right from the beginning when you start writing the initial lines of the code.
As ardent mobile users and app users, most of us input a whole lot of information (some of it confidential) into our mobile devices. All this information is simply floating around in this ethereal space and hunting season is open for all kinds of cybercriminals. With just a single breach, all your information including your name, age, address, phone numbers, account numbers & details, and even your current location would be available to criminals. The stakes are even higher when it comes to the enterprise, simply because of the nature of the information that they handle and because the criminals are more interested in getting a hold of it.
Hence, it is up to the app developers to build in security in the apps to protect their users and clients, and in case of enterprise apps, even their employees.
Does it really matter?
It has been established through research that almost about 95% of the mobile apps are vulnerable. It is also true that with new apps being added everyday to the app stores, there are about 36 apps installed by an average smartphone user. As the numbers are huge and the change of information is frequent, it is only natural that some of the apps would be malicious.
When you are developing an app (whether Android or iOS) the concern for security is equally severe, making testing for security equally daunting a task. Even though the vulnerabilities and loopholes might be more on the Android platform, but that doesn’t mean you would any less work to accomplish when working for the iOS platform.
There is a whole lot of innovation in finding new ways to make use of the mobile device, hence the app developers must focus on the security aspect of the mobile app.
More and more smartphone owners are resorting to using their phones to get information about their health conditions and for online banking. This trend of usage makes the smartphone users more vulnerable as their sensitive information makes way to a device that is connected to the internet.
Most common security breach-points
1) Weak Server-Side Controls
Failing to follow secured coding & practices on the server side can give an opening for a fatal security breach. The API must securely verify the identity and authorization of the caller.
2) Suspicious Storage of Data
A misplaced belief – that the users & malware can not access the files on the mobile device where all the information is stored can open the app up to a security breach.
3) Improper Transport Layer Protection
Another common myth is that applying SSL/TLS makes your mobile app secure leaving no reason to worry. This too can prove to be a point & reason for breach.
4) Sudden Data Leaks
Data may be vulnerable to leaks through a number of ways and it can be then not just viewed but also copied, screen captured, backed-up & even logged.
5) Inferior Validation & Authorization
Even when the mobile app has been validated once, it still may not mean that its credentials are safe. The credentials can, in fact be stolen from wireless networks that may be insecure. It is also important to keep in mind that even if a user has been authenticated once, it does not mean that they can be automatically authorized for everything at all times.
6) Security Decisions Taken by Dubious Sources
The web service calls, hidden calls, and IPC calls cannot be trusted entirely as there is a scope of these being manipulated with malicious tools.
7) Failing to Offer Binary Protection
In case the mobile was to be tinkered, reverse engineered, or analyzed, there is a high chance of a major data breach bringing you to trouble.
8) Breach of Cryptography
If the encryption algorithm or decryption algorithm is weak in structure, it is bound to open up the architecture to security breaches.
Why have mobile app security & breaches largely been ignored?
There are a number of factors or reasons that may be blamed for app security being ignored for this long. However, the main reason is that the primary focus of the industry has shifted to providing better features, making the app faster etc. and the security issues are often ignored in this regard.
In fact, it has been established through research that a number of organizations tend to delay performing security testing or use it at long intervals rendering them ineffective. Following is a list of reasons why mobile app security is not focused on.
- An inclination towards developing apps for convenience and speed leads to a lack of attention towards ensuring the users’ safety.
- Lack of awareness on the developer’s part regarding the security implications of the platform that they’re working on
- The users do not lay enough emphasis on security and instead look for a feature laden app.
- Not conducting consistent testing all through the SDLC
- Coding errors by accident
Mobile App Security – Best Practices
#1 Secure Code Writing
This is where it all begins. If there are bugs or vulnerabilities in a code, be sure that the hackers or attackers would try to get in through this door first. It is possible that they would attempt to tinker with it and reverse engineer it and for that all that is needed is a public copy of your app.
Even as you sit down to begin developing a security code that is strong enough to be able to thwart attempts of breach. Make provisions in the code to ensure that it cannot be reverse engineered. Also, it is important that you conduct tests repetitively and fix any bugs that might surface. Also, plan the code in a manner that would allow updates & patching. The code should be agile enough to allow for updates from the user’s end in event of a breach. In addition to this, make use of code hardening & code signing.
#2 Data Encryption
More often than not, an app needs to exchange multiple units of data. In order to fortify your app and protect it from possible breaches, it is important that you encrypt every single unit of data that is being exchanged over the app. When you encrypt data, you are essentially scrambling up the plain text until it is converted into a meaningless pool of letters and numbers. This means that even if the data is stolen it would be useless for the miscreants. This meaningless encrypted data can only be decrypted into meaningful information to only those who have the key.
#3 Exercising Caution with Libraries
When it comes to security, you can only trust yourself. This means when you are using third-party libraries it is important that you exercise caution and care by testing the code in an optimum fashion before incorporating it in the app. It is true that integrating third party libraries might be instrumental in making your app engaging, but some of these libraries may prove to be quite insecure in their structure. For instance, GNU C Library has an inherent security flaw that lets the attackers implement malicious code and cause a system crash. The worrying thing is that this flaw remained undiscovered for more than seven years. As a developer, you must use controlled internal repositories and implement policy controls at the time of acquisition and safeguard their app from the security loopholes in libraries.
#4 Using Authorized APIs Exclusively
When you make use of unauthorized APIs that are loosely coded, you are unwittingly granting to the hackers, privileges that may be grossly misused. If we were to take an example of locally caching authorization information, we know that it helps the programmers reuse this information with great ease while making API calls. This makes it easier to use APIs easing out the coder’s life. But in doing so, the attackers may find a loophole and be able to hijack privileges. Experts in the field suggest making use of centrally authorized APIs for stronger security.
#5 Employing High-Level Authentication
The authentication part of a mobile app is as vital as it is vulnerable. In past some of the most alarming breaches have happened where there was weak authentication. This is why a strong or high-level authentication has assumed great importance today. In its most basic sense, authentication includes passwords or any other personal identifiers that may act as an entry barrier. This, however is largely dependent on the app users. You, as a developer can sensitize your app users towards authentication. It is your responsibility as an app developer to design an authentication system that would only recognize passwords that have strong alphanumeric components, which must be changed or renewed in frequent intervals. You can also introduce multi-step authentication system that employs a combination of passwords and OTPs, and in case of apps that deal with highly sensitive content, you can even apply biometric identifiers for access.
#6 Making Use of Tamper-Detection Technology
As an app developer, you must be aware of different techniques that would make it possible to set off alerts when attackers attempt to tamper with your code or try to inject malicious code. You can even deploy active tamper-detection as a security measure which would render the code non-functional if it was modified in any manner.
#7 Using the Principle of Least Privilege
The Principle of Least Privilege states that the code must be able to run with only those permissions that are instrumental to its functioning and nothing more than that. This means that when you design an app, it must only ask for those permissions that are an absolute essential for the app to function.
#8 Ensuring Appropriate Session Handling
Since the sessions on mobile devices last a lot longer than the ones on desktops, it becomes more difficult for the server to handle these mobile device sessions. One way to ease this is by using tokens in place of device identifiers to identify sessions. The biggest advantage here is that the tokens can easily be revoked whenever the need arises. This means that the app security increases in case the device was stolen or misplaced. This measure can be further fortified by making it possible to wipe the data from the device remotely and even log off remotely.
#9 Applying the Best Cryptography Tools & Techniques
We talked about encryption and keys earlier in the post, but if you want your encryption efforts to be of any use, it is important that you pay attention to key management. If you hard code your keys, you are only facilitating a security breach making it easy for the attackers to steal them. The keys must always be stored in secure containers which should not ever be stored locally on the device.
#10 Keep Testing
Making and keeping your app secure is not a one-off task that would have a definite end date. On the contrary it is actually a continuous process where you would have to keep testing the app and preparing it enough to be able to fend off the latest threats. You can keep testing your app for any loopholes or vulnerabilities by investing in techniques like penetration testing, threat modelling, and emulators. Make sure that these vulnerabilities are taken care of with timely updates.
In the recent times the world has witnessed some iconic breaches of security and we would probably not forget WannaCry and NotPetya in a hurry. It is for this reason that people have actually begun to sit up and take the issues of security a lot more seriously. In the times to come, organizations and individuals would both take apt measures and prioritize security over most other things. As an app developer, the points above would help you prepare for it and offer an app that is secure and keeps your users’ data safe from attackers.