by Plamena, Project Manager at Flat Rock
Most people don`t think about security when updating their Facebook status, checking their email or purchasing a new mattress using their smartphone. Mobile devices are powerful and popular. They provide us with a convenient way do just about anything with a few taps. But this convenience comes with a price. Mobile apps often rely on consumer data, for example name, contact information, photos and location. This makes them vulnerable to hacker attacks and a recent study by the leading research company Arxan confirms that:
› 90% of the apps tested had at least two critical security vulnerabilities;
› 98% of the apps tested lacked binary code protection and could be reverse-engineered;
› 84% of the apps tested had poor transport layer protection and could lead to data and identity theft;
› Less than 5% of popular apps contain professional-grade protections to defend against hacking attacks;
› There is a 163% increase of mobile malware last year alone;
These alarming numbers put the question of security in the foreground when developing a new app. If your app is not well-secured, it increases the risk of a revenue loss, unauthorized access to critical and sensitive data, intellectual property theft and fraud. Here are some guidelines that you can follow to mitigate the risk:
1. Source code encryption
Mobile apps security is very different from website security. If you are building a website, your code is stored on a secure application server. The client-side is just a user interface.
Mobile apps are more vulnerable because the entire code resides on the client side providing easy access to both the UI components and the app business logic.
If your code is not well-secured, a malicious user can potentially access your code. They can reverse-engineer your app, identify vulnerabilities to target your users and even inject malicious code and re-publish your app back to the app store.
2. Data handling
In addition to the fact that the app code is stored on the client-side, a lot of the user data is stored on the mobile device as well. Many developers use the mobile database SQLite or store data on the local file system. These alternatives don’t encrypt the data by default so you should make sure to implement additional data encryption. This will help protect your users in the event of viruses, malware or a lost device.
To minimize the risk, collect as little data as possible and avoid storing it for longer than needed.
3. Data transit
Mobile devices often rely on unsecure Wi-Fi access points like in coffee shops or airports. Sensitive information, such as usernames, passwords, API keys are being sent from the client to the server and vice versa. You need to protect such sensitive information by confirming the authenticity of every request to avoid privacy leaks.
Some of the ways to protect wireless communications is to use SSL or VPN tunnel, which protects data in transit. A digital certificate is not that expensive and will guarantee your customers` protection.
4. Libraries and other third-party code
Developers often use third-party libraries and SDKs. That`s normal, after all you don`t need to reinvent the wheel. What you need to do however is to do your due diligence and ensure that the used libraries or SDKs don`t have known security vulnerabilities and issues.
To make sure you are protected against the latest viruses and malware, maintain your libraries up-to-date.
5. Sessions and requests limitations
Often mobile application sessions remain active for a very long time. Although this is convenient for the user, it presents a security risk. As long as the session remains active, attackers can make malicious requests to the server.
The same is true for the requests. The longer a request is valid, the greater the risk of an attacker eavesdropping on it or even intercepting and modifying it. To avoid this, all requests have to be time stamped on the client-side and have an expiration time.
Another thing you should consider is forbidding repeat requests. Such can be used by attackers to replay intercepted requests (for example a request to transfer money is re-sent). Developers can prevent repeat requests by using a NONCE (an arbitrary number that may only be used once).
Instead of repeating a request, some attacker may choose to modify it. In the example above, the attacker may transfer the money to a completely different account. A shared secret known only by the client and server can prevents the server from accepting requests that have been modified.
Building secure mobile applications is hard and it depends on the type of app you’re creating. There is no checklist for securing your app. There is no exact recipe as different apps need different security measures. It depends on the amount of user data you collect, how you store it and how it communicates with other apps and services. Some apps, such as the ones asking for location, collecting personal information, handing payments or relying on remote servers are at greater risk than others. Your security measures have to be custom-tailored to match your app.
Contact us for more information on the topic or how to create your own mobile app.