Keeping Your Mobile App Secure: A Primer

There’s a seemingly infinite amount of mobile apps out there right now. There’s also a tremendous amount of unfortunate security breaches related to those same mobile applications. The question that most organizations should be asking themselves in this day and age, is how to protect your apps from a malicious attacker. To give you more of a reason to be considered about this, consider that 100% of the top 100 mobile applications on the Google Android platform had been hacked.

Now that I’ve got your attention. With companies increasingly allowing BYOD programs, it’s often tough for IT professionals to secure data on mobile devices when they aren’t able to assess the security of certain mobile applications.

Securing the Code:

When the code is typically the first thing to be attacked by mobile malware, secure code means a secure mobile app. Attackers are able to obtain a public version version of an app and reverse engineer it. Once finished, the attacker repackages the application as a rogue app with malicious code to be sent to third party app stores. These rogue applications wait patiently on the third party store for an unsuspecting consumer to download them, where the malware can effectively compromise their devices. While the Google and Apple app stores have measures to ensure that “rogue apps” stay off their store, third party stores will allow any application to be hosted without question. Your organization should work closely with your app developer to detect any security blank spots in the code and take the appropriate measures to strengthen the security of the app.

OWASP.com recommends these ten tips to making sure your app’s code is bulletproof:

  • Identify and protect sensitive data on the mobile device
  • Handle password credentials securely on the device
  • Ensure sensitive data is protected in transit
  • Implement user authentication/authorization and session management correctly
  • Keep the backend APIs (services) and the platform (server) secure
  • Perform data integration with third party services/applications securely
  • Pay specific attention to the collection and storage of consent for the collection and use of the user’s data
  • Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc…)
  • Ensure secure distribution/provisioning of mobile applications
  • Carefully check any runtime interpretation of code for errors

Database Encryption

Now that your code is secure, you need to think about encrypting your data as well. Bandwidths and connection qualities on mobile devices vary tremendously meaning that in addition to more client-side code being required, more data is also being stored on the device itself. The web allows desktop applications because of the steady connection. However, on mobile devices, the information must be stored on the device itself. This big difference between mobile and desktop applications is the reason that many app developers use mobile databases such as SQLite, or store data on a local file system. Encryption modules are highly recommended to ensure that the user experience isn’t while also maintaining device-stored data in a secure manner.

Watch out for data in Transit!

When your mobile application is beginning developed, you should be sure that app relevant information is secured when in transit between you and your developer. This prevents any privacy leaks from occurring. This may seem pretty basic to anyone who’s dealt with wed security before, but it may be new to app developers. If you want to make sure that the data being sent between client and developer is secure, then its recommended that you use an SSL or VPN tunnel that can protect data in transit from eavesdropping.

Leave a Reply

Your email address will not be published.