Everything is going mobile. Developers now build applications for all kinds of tablets, mobile phones, desktops and variations thereof, which present all new security risks. This leads to a challenge for developers.
Are you sure that the mobile applications you’re building are secure? The answer to this question is very important before launch of the mobile application. The awareness of secure mobile application development begins with understanding of the various security risks posed by those applications
Security Risks in Mobile Application development
- Weak Server Side Controls – Most of the security issues that occur doesn’t actually take place on the phone but on the server where it is hosted
- Insecure Data Storage – Storing data insecurely, so that it can be accessed by other malicious apps or if the phone is stolen by an attacker
- Insufficient Transport Layer Protection – Not using SSL or other encryption methods to securely transfer data across mobile networks
- Unintended Data Leakage – Usually caused by the way a framework, operating system, compiler or hardware manages data without the developer’s knowledge
- Poor Authorisation and Authentication – For example authenticating users locally and “remember me” style login systems that store the user’s password on the device
- Broken Cryptography – For example, poorly managing encryption keys, or using custom encryption protocols
- Client Side Injection – This can include MySQL injection attacks, XSS attacks and similar ones
- Security Decisions Via Untrusted Inputs – If you do not whitelist applications, other mobile apps could potentially communicate with your app, compromising its security
- Improper Session Handling – This can be anything from not timing out logins fast enough, through to only invalidating sessions on the mobile app and not on the server side too
- Lack of Binary Protections – If you are hosting your application in an untrustworthy environment, then an attacker could potentially reverse engineer your app, embed new code and then re-upload it and cause risks to those downloading and installing it
Tips to minimize the above Risks
There are hundreds of things a developer needs to bear in mind to develop secure mobile applications, but a large number of attacks can be prevented by following the ten pieces of simple steps.
- Threat model your mobile applications – Think about all the possible ways that your applications could be compromised. What happens if a user’s phone gets stolen? What if a malicious app was somehow installed on the device? What If the device connected to an untrustworthy Wi-Fi network? It’s only by modelling these attacks that you can think about ways to protect against them.
- Be careful with what you store on user devices – As a rule, don’t store anything you need not have to on the user’s device. The less confidential or potentially sensitive information you can store on the user’s device, the better.
- Use two-factor authentication wherever possible – Two-factor authentication can help you to protect against numerous attack types. For example, if your app asks the user for a password, you can ask them to draw a pattern, or type a memorable word too.
- Obfuscate code before release – You want to make it as hard as possible for an attacker to reverse engineer your application. By obfuscating code, you increase the level of skill required by an attacker to cause damage.
- Carefully manage 3rd party services – Don’t accept communication from other apps or web services without protection. A good policy is to whitelist other applications or services, so that only they can communicate with your application. Treat all communication as suspicious, even from whitelisted applications.
- Utilise minimum security best practices – Minimum best practices can stop 80% of security attacks. This is just as true for mobile applications as it is for other platforms.
- Don’t store keys in RAM longer than necessary – When you are storing encryption keys in memory, always nullify the variable as soon as possible. Don’t leave encryption keys, unencrypted passwords or other information sitting in memory for long lengths of time.
- Fully validate SSL certificates – Always fully validate SSL certificates with any server you communicate with, and don’t transmit sensitive information without SSL enabled.
- Use appropriate session controls – Kill sessions when the device isn’t used for a period, both on the device itself and at the server side. Don’t leave sessions open or unchecked for long periods of time.
- Always store data securely – Use proven encryption algorithms to store sensitive data on a user’s device. Never store sensitive data like usernames, passwords, or personally identifiable information in plain text.