Everywhere you look, people are on their smartphones. These devices have become a permanent fixture in our lives. We spend more time on our smartphones than we do on our desktops, making mobile devices a bigger target for cyber attacks. To make matters worse, the vast amount of personal data—and the sensitive nature of that data—we store on our phones makes the prize of a successful hack quite valuable.
One of the most common ways smartphones are hacked is through mobile applications. A user may download what turns out to be a fake app from an untrusted source. Once on your phone, the app is able to access your personal information and data before you realize its illegitimacy. Poor judgment is a frequent cause of stolen data.
Other times, code exploits and malware are to blame. Google and Apple both work hard to provide a secure mobile operating system. Google’s Play Protect, for example, scans users’ phones for suspicious apps. But mobile apps cannot rely only on Google and Apple for security. A recent report from the Federal Trade Commission (FTC) found that mobile devices are just not getting the security updates and patches they need frequently enough.
The increase in security breaches in mobile apps has made mobile application security something that cannot be ignored or pushed aside. It needs attention now more than ever.
Let’s take a closer look at the top mobile application vulnerabilities, as well as ten tips to help you improve mobile application security so you can take the necessary precautions when designing, developing, and supporting mobile apps.
Top mobile app vulnerabilities
The Open Web Application Security Project (OWASP) has published a list of the Top Ten Mobile Risks. The most recent version of this definitive list was updated in 2016. It can be used as a checklist for the most significant mobile app vulnerabilities you should be aware of.
The 2016 list includes:
- Improper platform usage—This is failure to use available platform security measures, or misusing a platform feature. It can be prevented by secure coding and configuration on the server side.
- Insecure data storage—This becomes an issue in the case of a lost or stolen device, or when an attacker gets into the device, and sensitive data is easily accessible. It can be prevented through proper mobile application security testing (typically threat modeling) to identify the information accessed by the app, and how that information is handled by APIs.
- Insecure communication—Data that is transmitted or exchanged by the mobile app must be secure. There are various steps you can take to enhance the security of data exchange, such as encrypting sensitive data and using SSL certificates.
- Insecure authentication—This is easy access to the app (and its data) without strong credentials. Weak passwords are an example of insecure authentication. Strong processes should be implemented, such as multifactor authentication.
- Insufficient cryptography—Sensitive data that is weakly encrypted is more easily retrieved. You should only store sensitive data if it is absolutely necessary, and follow strict standards when encrypting the data.
- Insecure authorization—Authorization deals with the permissions granted to or by a user. Some apps do not perform adequate checks to ensure the user is legitimate. Insecure authorization enables attackers to gain access to an app, perform administrative functions, and wreak havoc. Roles and permissions should be verified based on information from the system backend rather than the device itself to prevent this from happening.
- Client code quality—It is a problem when mobile application code contains vulnerabilities that leave it open to threats. Proper mobile app security testing and remediation procedures reduce the risk of poor code quality.
- Code tampering—Attackers often create an unauthorized version of an app, which is then downloaded by users and installed on their devices. Your app must be able to detect changes that have been made and identify them as potential violations to be addressed.
- Reverse engineering—Attackers can sometimes download your app and study the code. They can then steal proprietary information or launch an attack against your app. You can prevent this type of threat with an obfuscation tool, which makes your code more obscure and difficult for an attacker to understand.
- Extraneous functionality—An attacker may download your app and look for functionality and code that may have been left behind by developers. The attacker can then gain access using these unused functions, and determine how backend systems work, or even execute unauthorized actions in the app. Prevention lies in a thorough code review.
For a deeper look at these vulnerabilities and more tips on how to prevent them, consult the OWASP resource directly.
Other mobile app vulnerabilities to watch out for are:
- Insufficient session expiration—After a user signs out of the application, the session identifiers should be invalidated. If it doesn’t expire, attackers can take advantage of this to gain access to the app and log in as the user. Prevention lies in ensuring your app has a logout button and that all sessions are properly invalidated when logout occurs.
- Weak server-side controls—Your mobile app will access servers, whether it be your own servers or from third-party systems. These servers need to have proper security measures in place to prevent unauthorized users from gaining access to the app and its data.
Ten tips to improve mobile app security
There are many steps you can take to improve mobile app security. Here are ten tips to get you moving in the right direction.
1. Build mobile application security testing into the development process.
Mobile app security needs to be part of the process from day one, and remain a priority throughout the design, development, and maintenance of the app. You should use a variety of application security testing tools to ensure comprehensive coverage for your application. For a deeper look at the different types of application vulnerability testing software, check out our recent article.
An application vulnerability and correlation management tool can help you make sense of the results from these testing tools. With an AVC tool, duplicates are automatically removed, and results are cross-referenced to identify which threats are the highest priority and should be addressed first.
2. Be wary of third-party code.
Using third-party code can save you time and money, but you cannot assume it is always safe and secure. Third-party code is a good choice in some cases, but it must be thoroughly reviewed for vulnerabilities just as you would review the code your developers have written. You cannot and should not assume it was properly reviewed already.
3. Adopt the mindset of an attacker.
Encourage your developers and programmers to think like an attacker when they are writing the code for your mobile application. Is it easily exploitable?
4. Create an API security policy.
APIs are how data is exchanged and transmitted from your app. They need to be secure. Test your APIs for vulnerabilities in the same manner you test your code.
5. Use the OWASP Mobile Security Project and Mobile Application Security Verification Standard.
The OWASP Mobile Security Project is a resource for developers and security teams to assist in the development of secure mobile applications. Check there regularly for updates and new information when designing, building, and maintaining mobile applications.
The Mobile Application Security Verification Standard provides a baseline for mobile application security. It is an excellent resource that should be used as a guide to help you determine if your mobile app is secure.
6. Keep permissions to a minimum.
One of the best ways to keep your app secure is to only give it access to what it really needs. Each permission—to contacts, images, and other data on the phone—is another point of entry into the app that attackers can exploit.
If your app does not need access to a given item, do not allow it to do so. You’re unnecessarily inviting security problems.
7. Treat personal and sensitive data with white gloves.
Do not store personal or sensitive data in your app. It should be deleted or moved to a secure location. If storing sensitive data is a requirement, follow proper encryption protocols.
8. Follow secure data transmission procedures.
Apps exchange data, and it must be done securely. Data can be encrypted to provide secure transmission, or you can use VPNs (Virtual Private Networks), SSL (Secure Sockets Layer), or TLS (Transport Layer Security).
9. Follow proper user authentication, authorization, and user management processes.
Require strong passwords and encrypt them when added security is needed. Sessions should be logged out after periods of inactivity. Use stronger authentication, such as fingerprints or voice verification when sensitive data is being stored.
10. Comply with required regulations.
Your app may be subject to certain regulations, such as HIPAA. Be aware of the regulations that apply to you and address them from the start.
Mobile application security is becoming more important as people continue to spend more times on these devices and, more specifically, in mobile apps. You need to do everything in your power to make sure you are taking all necessary precautions and creating a mobile app that is secure.
Users expect security to be built in. Failing to make this a priority—and subsequently suffering from an attack—will result in your application failing spectacularly, and your company’s name being tarnished. Use the resources and tools available from the experts to make sure your security coverage is comprehensive.