Top Security Issues to Prepare for In Mobile App Development
App Builder Appy Pie, February 20, 2018: The last time you ordered your favorite cup of coffee at Starbucks, did you stop and wonder about the security and data privacy when you used the app? Did you wonder how safe it is to play your favorite game as you whiled away the time on your daily commute? Did you stop and wonder how safe is the app that has been making your digital business strategies tick? Probably not! And if yo u did, you probably are comfortable in the thought that the app developers would have taken care of it for sure. The concerns about the app are even lower if it comes from an organization or company of good standing and repute and if the app was downloaded from a good app store like iTunes or Google Play Store. But the harsh fact is that even in all these scenarios there is a good chance of things going seriously wrong.
The mobile market is burgeoning and so is the app development market and scenario. Whether it is individuals or big organizations, everyone is becoming increasingly dependent on a variety of mobile apps for efficiency and increasing employee coordination and productivity. It is therefore important to ask the question – are mobile apps secure enough to be protected from malicious hackers? However, it is the one question that most of us fail to ask.
Did you know that an average company only tests about half of the mobile apps that they build and launch and one third of the app development companies do not even test their apps for security before being launched into the market?
It is this astonishing fact that exposes the app users to potential cyberattacks that may enable hackers to gain access to all the corporate or personal data on the mobile device that is used to access the app. The current trend of BYOD (Bring Your Own Device) where the employees are allowed to download and use business apps on their personal devices leaves the companies even more exposed to cyberthreats and hack attacks.
There are thousands of new apps that hit the market each week and probably an equal number of or more hackers ready to tap into these apps and phish out user information for malicious purposes. This puts a lot of responsibility on the app developers to work hard and ensure safety of their apps. Following is a list of top security issues that a developer must prepare for, in case of mobile app development.
1. Depending Only on Built-In Platform Security
There are a great number of app development platforms to choose from but none of them are completely immune to security threats and loopholes. Of the prominent app development platforms, Apple’s iOS platform has a fairly stringent screening process that the app has to go through before it is allowed to be launched for the users, and for this reason it is considered to be one of the most secure platforms. However, it is also true that there is no guarantee that every app on the platform is secure. Any screening process, no matter how stringent can’t possibly take care of and thwart the attempts of every malicious person who might try to hack into the apps. Android, however is completely different as it simply allows every new app to be launched and leaves it to the users’ discretion to sort the good from the bad with the help of reviews. Both the systems are flawed in their own way and it is extremely important that you do not depend entirely on the security features or screening system of a platform when it comes to protecting the users from cyberthreats.
2. Using Other Developers’ Codes
Developing an app from the ground up is quite a challenge and requires a lot of expertise and efforts, apart from the big price tag attached to it. The process of developing an app from the scratch is a long one, and not every developer has that kind of time or resources to accomplish it. it is for this reason that quite a few of them pull out and make use of open source code to speed the process up. Most of the modern applications today are made 90% from open source, which unfortunately means that it is the largest and the weakest grounds for attack by hackers and cyberterrorists. The hackers today are creating malicious codes with the hope that a developer would pick it up and give them access to all sorts of information that app may be a gateway for. The hackers today are making use of the developers’ tendency to trust 3rd party code & solutions so that they can get the developer to do the actual deed for them!
There actually is nothing wrong with finding a foundation in someone else’s work and then build upon it. open source code can actually be a great way to save a lot of time and money. However, it is of great importance to do your due diligence and make sure that the 3rd party code you are developing is safe to be used in your app and that it does not jeopardize the safety of the users. Apart from that it is also important that after the launch of the app you keep a vigilant eye on the code to validate the security and make sure that it stays safe to be used over a period of time. Find solutions that would help you monitor and identify whether the 3rd party code you want to use is safe to be used, then supplement this with your own set of tools, techniques and processes to make the app foolproof. It is also good if you are able to build a relationship with those vendors which would ensure an open line of communication and open up apt pathways to remediate any number of flaws or bugs that may be discovered in the process. The key here is to use only those sources that have been vetted carefully and verify yourself if you can. It is good to trust, but never place your faith blindly on anyone.
3. Not Being Prepared for Caching & Logging Vulnerabilities
As far as possible do not cache app data. When it comes to storing any kind of data in a secure manner on any mobile device, it is important to employ the proper technique. The most secure, and fool proof way to mitigate compromise of the data on the device is by making sure that no data is stored or cached. There are a number of ways where data may be stored unintentionally. It is possible that the developers may fail to register some the ways that data can be stored. Some of these ways include:
- Log & Debug Files
- Web Cache & History
- Property Lists & Files
- SQLite Databases
- KeyStore & Keychain
The debug logs are designed with the intent to find and rectify flaws in any application. Also, in case of an app crash, the hacker may achieve access to a lot of information of great value in the form of the crash log that is created with it. In both these cases, there is a possibility of the hacker gaining access to a lot of sensitive information, which them provides a lot more fuel to orchestrate yet another attack. When you offer features like “Remember Me” or “Save This User ID”, the user ID is then cached within the Credentials Manager object on iOS.
The prominent OSes including iOS and Android store the information that the users type in, with the intent to provide specialized features including customized auto-complete, autocorrect, and form completion. In doing so, it is possible that some of the sensitive data may also be stored in it.
These words when typed in, are cached in the Keyboard cache, which puts them essentially beyond the administrative scope of the app itself, which means that this data cannot be removed or deleted from the cache by the app.
There, however are some techniques to prevent this, like programming in a manner that the cache would be automatically wiped as soon as the mobile device is rebooted, or every time the user exits the app. There are quite a few other concerns and not all issues can be handled by programming at the developers’ end.
4. Not Conducting Thorough Tests for Security
It has been established earlier that the responsibility to make an app lies heavily and squarely on the developers’ shoulders primarily. If you, as an app developer do not ensure total security of your app, you are exposing all your users and their data on your app to potential risks and threats. Hence it is good sense to never rush and release an app in a hurry. You must conduct enough tests to thoroughly test your app for security & privacy of the users.
At the very least you must perform static and dynamic analysis of your applications.
Using SAST or Static Application Security Testing, you can evaluate the apps from inside out and find any potential flaws and vulnerabilities in the code of the app that expose the data. This testing includes the 3rd party data as well.
DAST or Dynamic Application Security Testing is also referred to as Automated & Manual Mobile App Security Testing. This is one of the most important tests as it tests the apps as they work on the mobile device and identifies any susceptibilities or dicey behavior that the app may exhibit during its run time. DAST makes it possible to test the apps in a real-world scenario in a live network environment so as to be able to scrutinize and identify the vulnerabilities in data transmission and network communication.
It is of absolute importance to test the codes every time a build is pushed. It is advisable to integrate the security testing of the mobile app into the SLDC with automation. When you implement a build-test-deploy workflow, a security test is triggered every time a build is pushed. This means your team of developers can continue to focus on coding while all the security issues that have emerged may be taken care of by the security teams.
5. Compromising on Data Encryption
The thing about technology is that it is ever evolving, what is state of the art today may become obsolete tomorrow. This applies even to the encryption algorithms that you may have chosen to apply in your app, which means that it may become obsolete and hence become easy to crack into. If your encryption system is weak, you are exposing your users and all kinds of sensitive information that they may have on your app to malicious hackers.
If your app involves in-app payments, or any other payments, your users may be required to enter their credit card information or any other sensitive information. In such cases if your app does not have strong encryption, all this sensitive data is up for grabs! Sadly, the more popular your app becomes, higher are the chances of a potential attack on it. As an app developer you must ensure that the encryption and its implementation on your app stays updated and is configured properly to provide maximum security to the app users’ data. There are other techniques that may be used in this regard like string encryption at the code level and a more advanced application of white box cryptography which work both at the static and dynamic stages.
6. Failing to Prepare for App Reverse Engineering & Tampering
What happens when a mobile device is lost or stolen? As an app developer, there isn’t anything that you may do here! However, if you were to implement a local session timeout code, it can go a long way in providing a layer of safety to the user. This means that from time to time, the user would be asked to enter a password to be able to access the app. This duration may vary, and if you do not want to make it a daily affair, you can make it a weekly event or make the user enter the password every 7th time they access the app. It is common in the smartphones or other mobile devices to have the provision to save passwords or other login details, but when you implement a local session timeout in your app, you prevent this from happening.
It is not so far-fetched to imagine a phone, or any other mobile device being stolen, lost, or be accessed by a user with malintent at some point of time, and it is important that an app developer plan and prepare for this eventuality. The malicious users might, at this point reverse engineer the app to understand its working and gain information that might be valuable in determining how the app works. As an app developer, if you were to increase the runtime and complexity of the code. It increases the hurdles for a hacker to analyze or understand the working of the application. This in turn would bring the number of attacks and protect useful information from getting into the hands of malicious people. Some of the most useful techniques for this include – root/jailbreak detection, code obfuscation, debug detection, and control flow obfuscation.
Some hackers have in the past modified existing apps and inserted malicious elements in it before publishing them to the third-party sites and app stores. This is possible when a hacker or an attacker tampers with or backdoors into the app and then re-signs it. Some of the ways to prevent this from happening include – integrity verification, code signing, tamper detection, and resource verification.
7. Ignoring to Implement Secure Communication
While an app developer like you may be focusing all their resources and energy into making their apps secure, it is easy to forget about server-side security, which makes your app susceptible to malicious attacks. Most of the apps that need to handle any kind of sensitive data need to connect to a server and it is extremely important to ensure the safety of this transit. Failure to do this might lead to loss or theft of sensitive data including but not limited to the users’ credit card information, identification information etc. in case your app involves collecting big data, it is advised to get a certified SSL (Secure Sockets Layer) instead of using low-grade security encryption which can lead to leaks in data, your analytics, and advertising information.
When you have invested these many resources in making an app with exemplary security features, you do not want any interception over an insecure Wi-Fi connection. You can achieve this by employing strong encryption protocols & ciphers and TLS/SSL certificate pinning or Public Key Pinning. You may also acquire and implement extra layers of protection using app keys & secrets in combination with other techniques. Failing to secure this aspect can only spell disaster for you and your data.
8. Not Releasing Enough Security Updates
Hackers and attackers do not waste time and start their efforts in finding and exploiting the weaknesses of your app soon after you have launched it. This means that you cannot become complacent once the app has been launched. It is those apps that do not release frequent and timely security updates that attract the hackers to find and exploit the security loopholes. It is important these holes be plugged as soon as possible, and an update be sent to the users so that the functioning of the app and the faith that the users place in it is restored immediately. When you are dealing with sensitive information, there is effectively no margin of error, and when you ignore or delay fixing these issues, you run the risk of becoming obsolete pretty soon
9. Not Protecting the Device With EMM
EMM or Enterprise Mobility Management solution is an extremely effective way to protect the device from getting a jailbreak or getting rooted. A suitably employed EMM solution makes it impossible to remove the in-built security that is offered by the operating system in the mobile that offers to keep the data safe for a long time. When you employ an EMM solution, you are also offering a way to authenticate users before the app is launched and used to apply the different security policies in order to provide security from hacking attempts.
10. Insecure Data Storage
Some of the most popular apps have been known to save your login details in clear text, which means that anyone with your phone would have, at their disposal, all these details by simply connecting the phone to a PC. Now this means anyone with your phone has access to all your sensitive information like usernames, passwords, geo-location, email addresses and other such data, which you might have been using in a number of other places as well. The extent of vulnerability that you suffer from, in this case is insurmountable.
Mobile App Security – Best Practices
- Exercising Caution with Libraries
- Using Authorized APIs Exclusively
- Data Encryption
- Employing High-Level Authentication
- Making Use of Tamper-Detection Technology
- Secure Code Writing
- Using the Principle of Least Privilege
- Ensuring Appropriate Session Handling
- Applying the Best Cryptography Tools & Techniques
- Keep Testing
When it comes to security, you can only trust yourself. This means when you are using third-party libraries it is important that you exercise caution and care by testing the code in an optimum fashion before incorporating it in the app. It is true that integrating third party libraries might be instrumental in making your app engaging, but some of these libraries may prove to be quite insecure in their structure. For instance, GNU C Library has an inherent security flaw that lets the attackers implement malicious code and cause a system crash. The worrying thing is that this flaw remained undiscovered for more than seven years. As a developer, you must use controlled internal repositories and implement policy controls at the time of acquisition and safeguard their app from the security loopholes in libraries.
When you make use of unauthorized APIs that are loosely coded, you are unwittingly granting to the hackers privileges that may be grossly misused. If we were to take an example of locally caching authorization information, we know that it helps the programmers reuse this information with great ease while making API calls. This makes it easier to use APIs easing out the coder’s life. But in doing so, the attackers may find a loophole and be able to hijack privileges. Experts in the field suggest making use of centrally authorized APIs for stronger security.
More often than not, an app needs to exchange multiple units of data. In order to fortify your app and protect it from possible breaches, it is important that you encrypt every single unit of data that is being exchanged over the app. When you encrypt data, you are essentially scrambling up the plain text until it is converted into a meaningless pool of letters and numbers. This means that even if the data is stolen it would be useless for the miscreants. This meaningless encrypted data can only be decrypted into meaningful information to only those who have the key.
The authentication part of a mobile app is as vital as it is vulnerable. In the past some of the most alarming breaches have happened where there was weak authentication. This is why a strong or high-level authentication has assumed great importance today. In its most basic sense, authentication includes passwords or any other personal identifiers that may act as an entry barrier. This, however, is largely dependent on the app users. You, as a developer can sensitize your app users towards authentication. It is your responsibility as an app developer to design an authentication system that would only recognize passwords that have strong alphanumeric components, which must be changed or renewed in frequent intervals. You can also introduce a multi-step authentication system that employs a combination of passwords and OTPs, and in case of apps that deal with highly sensitive content, you can even apply biometric identifiers for access.
As an app developer, you must be aware of different techniques that would make it possible to set off alerts when attackers attempt to tamper with your code or try to inject malicious code. You can even deploy active tamper-detection as a security measure which would render the code non-functional if it was modified in any manner.
This is where it all begins. If there are bugs or vulnerabilities in a code, be sure that the hackers or attackers would try to get in through this door first. It is possible that they would attempt to tinker with it and reverse engineer it and for that all that is needed is a public copy of your app. Even as you sit down to begin developing a security code that is strong enough to be able to thwart attempts of breach. Make provisions in the code to ensure that it cannot be reverse engineered. Also, it is important that you conduct tests repetitively and fix any bugs that might surface. Also, plan the code in a manner that would allow updates & patching. The code should be agile enough to allow for updates from the user’s end in event of a breach. In addition to this, make use of code hardening & code signing.
The Principle of Least Privilege states that the code must be able to run with only those permissions that are instrumental to its functioning and nothing more than that. This means that when you design an app, it must only ask for those permissions that are an absolute essential for the app to function.
Since the sessions on mobile devices last a lot longer than the ones on desktops, it becomes more difficult for the server to handle these mobile device sessions. One way to ease this is by using tokens in place of device identifiers to identify sessions. The biggest advantage here is that the tokens can easily be revoked whenever the need arises. This means that the app security increases in case the device was stolen or misplaced. This measure can be further fortified by making it possible to wipe the data from the device remotely and even log off remotely.
We talked about encryption and keys earlier in the post, but if you want your encryption efforts to be of any use, it is important that you pay attention to key management. If you hard code your keys, you are only facilitating a security breach making it easy for the attackers to steal them. The keys must always be stored in secure containers which should not ever be stored locally on the device.
Making and keeping your app secure is not a one-off task that would have a definite end date. On the contrary it is actually a continuous process where you would have to keep testing the app and preparing it enough to be able to fend off the latest threats. You can keep testing your app for any loopholes or vulnerabilities by investing in techniques like penetration testing, threat modelling, and emulators. Make sure that these vulnerabilities are taken care of with timely updates.
When you are designing your app make sure that all this vital information that the users offer you is not stored directly on the device, and in case it has to be stored on the device, it must be done in a secure manner.