Published on December 10th, 2016 | by Guest0
How to Increase Mobile App Security: 5 Best Tips
We love to speak about the mobile security at TecSynt. Needless to say, that our lives right now entwined with mobile gadgets like never before. Numerous types of mobile devices, mobile OS’ and apps. Like, we literally live in the future that was described ten years ago in science-fiction books… Every one of us keeps an awful lot of some really personal data there – stored on our iPhones, iPads, Smartphones and BlackBerrys. They know about us sometimes more than our friends and families… From our location to hangouts and hobbies! Almost every part of people’s everyday life connects with a mobile phone or another device – we keep there photos, videos, messages, contact lists, credit details and different valuable information regarding our jobs, while most of us don’t even concern about the safety of this data. Somehow we just hope that someone already thought about it for us… We willingly exchange some of this information for “free” services from Google, for example, but there are plenty of less pleasant people that would also like to get their hands on our personal data.
Cyber attacks, black hats, greedy criminals and thieves… We don’t even imagine how much does it mean these days to secure the content of our mobile phones! Yes, we install the security apps built specifically for iPhones and Smartphones… But is it enough? Are we safe? In this age of the digitalization of business processes and users lives in any minute all that we have can be easily hacked and stolen… Through just some custom app that we downloaded from the App Store. How? Why? Well, the reasons are always different, but the ways are similar.
Recent research by Arxan found that:
• All of the top 100 paid Android apps on Google Play Store had been hacked
• 73 percent of the most popular free apps on Google Play Store had been hacked
• 56 percent of the top paid iOS apps on Apple Store had been hacked
• 53 percent of the most popular free iOS apps on Apple Store had been hacked
There is a trend right now to develop more and more enterprise applications for employees and customers. How will they protect their users? Which way the risk of information theft can be reduced? As the number of Internet-enabled mobile devices continuously expands, the mobile application industry will also grow. The techniques will change and every developer should keep up with this pace, always investigating new solutions for data protection within their apps.
“The mobile environment is evolving and presents new vulnerabilities and threats. App developers lack mobile expertise and tend to apply traditional application development practices to mobile with a focus on functionality, not security.”
Dionisio Zumerle, research director at Gartner
Security is becoming a major concern as more and more people starting to use the Internet via mobile apps and services. Every mobile device these days is Internet-connected – WiFi, 3G/4G, doesn’t matter. The only thing we should focus on – this represents the direct threat to our personal information stored in mobile gadget. Most of us can’t live through the day without some mobile apps, purchased through Apple’s App Store and Google’s Play Store. Huge business organizations have welcomed mobile apps as a way to raise up employees’ productivity by letting them work in mobile lifestyle. Therefore the security of any mobile app is the top priority for any developer. Mobile app development companies must take extra precautions to secure their products if they don’t want to put their reputation at risk and lose their customers.
While developing some new app you need to ask yourself these questions:
- Is your mobile app really safe to use?
- Is it well-protected from ingenious hackers?
If the answer is no and you confused what to do next, let us help you a little. Want to know how to secure an iOS app or how to improve an Android app security level? Below we prepared for you 5 Best Tips you can use to ensure the security of your product through all the stages of mobile app development. Bear in mind that most of the app security problems can be solved by integrating security processes right from the earliest stages of app development.
How to Increase Mobile App Security? A guide for startups
How can mobile app developer ensure high level of mobile app security for the clients? What aspects of the mobile app development process does he or she need to take into consideration to provide the user with the maximum amount of protection? Based on this an app can become truly popular and successful, because what matters the most is the fact – if an app can offer a great and safe user experience. Establish mobile app security and you’ll open the doors to future success of your product. Not to mention, integrating right security measures on the early stages of mobile app development saves you a lot of time, budget and effort, which you may need to use later.
So, here we go, the following tips will help you to see what does it mean mobile app security and to design and execute a secure mobile application.
Tip 1. Research the subject – knowledge is everything
How can you gain more knowledge about mobile apps security? Mobile security is a rapidly growing industry. As a startup developer, you have to learn about the internal structure of a mobile app and how hackers can access the information stored in the mobile device. To keep up with this you should do the research on the latest aspects of mobile security, check the IT-forums and websites and get in touch with experts on the subject. We also recommend reading popular blog posts on mobile security like this one by Paul Ionescu, the leader of Ethical Hacking Team at IBM, about Top 10 vulnerabilities faced by the Open Web Application Security Project.
The Internet is your best friend – there are many reports and research about mobile security, variable articles about hackers attacks on the most vulnerable areas of the enterprise apps. Learn about the efforts business corporations put in their mobile security development. What are they lacking? How do they manage to maintain their apps security? There are also some webinars to help you find out more about mobile app security specifics.
Your goal is to learn about as many security issues and vulnerabilities as possible and then focus on those that concern your app functions. Search for the resources that will help you to learn how to detect and remedy effects after mobile app security attacks. Find the tools for identifying security issues in the app with the recommendations how to remediate them.
Here are some more ways how you can expand your mobile application security knowledge:
1. Review Findings From Information Security Media Group’s ‘The State of Mobile Security Maturity,’ Sponsored by IBM.
2. Read the blog ‘The 10 Most Common Application Attacks in Action’. A webinar “Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 From Happening to You” is also available online.
3. Consult the Ponemon Institute’s ‘The State of Mobile Application Insecurity,’ sponsored by IBM. You’ll learn how organizations currently struggle to manage mobile security and how the “rush-to-release” phenomenon often results in the release of mobile apps that lack the highest level of protection against data leakage and malware.
4. Read about how IBM and Arxan Technologies have partnered to improve Mobile Financial Application Security Protection.
Tip 2. Build safe architecture for your app. Protect the Data
It is definitely a highly risky challenge to develop a secure mobile app, because the mobile devices are extremely vulnerable to external hacker’s attack and can be jailbroken. This awfully often happens with Androids and iPhones. A jailbroken device gives a hacker access to the source code, thus the ability to change and redevelop the whole mobile app.
So your first priority is to secure the data preventing it from theft and leakage. Ideally, your app should be designed to forbid the storage of critical information directly on a device.
Two basic points:
- Do not store non-essential personally-identifiable information inside your app.
- Do not store any credit card info on the device.
iOS apps should store all the secrets and credentials in the KeyChain, passwords should be also stored in an encrypted data section of KeyChain.
Keychain – the defaults system, accessible through the NSUserDefaults class, is a fast and convenient way to store chunks of data. Even though the KeyChain is managed by the operating system, by default, other applications don’t have access to the items your application stores in the KeyChain.
For Android, all the sensible data and passwords should reside within encrypted storage in the internal app data directory, and the app should be marked to disallow backup.
Internal storage – files inside this directory are very secure because they use the MODE_PRIVATE file creation mode by default. This means the files cannot be accessed by any other app on the device. Therefore, it’s the best place to store all the sensitive data of your app in the internal storage directory.
Files that you create on internal storage are accessible only to your app. To add some more protection for valuable data, you can encrypt local files using a key that is not directly accessible to the app.
Tip 3. Connection with the backend
APIs (Application Programming Interface) should be verified and proper security methods to be employed to ensure only authorized personnel have access. All app communication should be encrypted – it’s the critical issue.
To communicate with the app use only native SSL libraries on the OS. Some precompiled third-party libraries have vulnerabilities, such as HeartBleed, you do not know what they do, which can lead to unnecessary external attacks. Do not download libraries from non-trusted sources. You need mutual SSL authentication in your apps to validate server connections to ensure that your app is communicating to the server you expect.
Also, all communications between the app and the server must be over an HTTPS connection by using the HttpsURLConnection class. The usage of HTTPS, as long as the server is configured with a certificate issued by a trusted certificate authority, allows you to be sure that your network traffic is secure against eavesdropping and man-in-the-middle attacks.
One more way to protect your iOS app or an Android app is to use modern algorithms that are accepted as strong and whenever possible use state-of-the-art encryption APIs within chosen mobile platforms, AES (Advanced Encryption Standard) with a 256-bit key for encryption and SHA-256 for hashing. Do not ever store files unencrypted and make sure that encryption libraries are fully utilized. Mobile data encryption also can be used to secure data within the application sandbox.
Couple of steps you need to take during this stage of app development:
- Try to use the highest level of pre-existing framework implementation that can satisfy your current needs. To securely retrieve a file from a known location a simple HTTPS URI is suitable and it requires no knowledge of cryptography. But if you need a secure tunnel, you should use HttpsURLConnection or SSLSocket instead of writing your own protocol. If either way, you do need to implement your own protocol, we strongly recommend you to rely on the existing cryptographic algorithms (AES or RSA).
- Use a secure random number generator (SecureRandom and KeyGenerator) to generate any cryptographic keys. Otherwise, the strength of the algorithm will be significantly weaker, which may allow offline attacks. If you need to store generated key for later use, a tool like KeyStore will provide you with a mechanism for long-term storage and retrieval of cryptographic keys.
- Also, don’t forget to secure your code against any kind of tampering and reverse engineering by obfuscating your software code using a third-party tool, which makes it harder for an attacker to understand what your app is doing. For Android, there is a tool called ProGuard, which is included in the Android SDK, that lets you obfuscate your code during packaging. Android Studio automatically includes ProGuard in the build process if the build type is set to release. The default ProGuard configuration available in the Android SDK is sufficient for most apps.
Tip 5. Check & Test & Security Training
The strong and powerful tactic in the mobile app development field is to not rush with the release, but instead to test and check your app for bugs properly and accurately. After you’re done with the data and code securing battle you’ll need to sit down, make a deep breath and start beta-testing your app to find out if there are some security breaches present.
What do you need to do? Let’s see.
- Tools like AppScan and Proofpoint Mobile Defense tools will help you to do thorough analysis of your product and validate its behavior before release. Use them to check your app for security issues.
- Look for third-party expertise — let your team members or external parties review your app’s code. Ask a fellow developer to re-examine your code and provide feedback on your app. I personally recommend you to hire a consultant or mobile app security specialist from mobile app development company to help avoid all the unpleasant pitfalls regarding security problems your app may consist. Such expertise may be able to find and fix some bugs which you didn’t notice during earlier stages of the app making.
- And then test your app some more. Thoroughly, step by step, feature by feature, function by function. Assure yourself that the product is completely free of security and other issues. Whether you do it alone or use external help, always test your app before release by using a third-party tool for app security testing. And after the launch don’t forget to do regular health checks constantly to identify weak spots of your app.
- App developers should have the basic training in maintaining app security and achieve a basic level of knowledge in the field of mobile app security. Developer in the big IT-company should receive regular and mandatory security training, so that they can constantly learn and keep up with the best practices for developing secure apps. Any developer needs to know basic terminology, security processes and the technique of implementing appropriate strategies to effectively deal with the app security issues.
Okay… This was just some basics, while the mobile app security field is so huge and many-sided you can’t even imagine. You’ve literally must do your homework and pay attention to the details during the app development process. There is nothing irrelevant – everything matters.
So, just in case, while we’re still here there are another couple of tips to improve android app security below:
- Use intents for IPC.
- Use GCM Instead of SMS.
- Avoid Asking for Personal Data more than necessary. Use Google Identity Platform.
- Validate User Input.
- Use user-granted permissions to restrict access to system features and user data.
- Use application-defined permissions to control application data on a per-app basis.
- Use technologies like ASLR, NX, ProPolice, safe_iop, OpenBSD dlmalloc, OpenBSD calloc, and Linux mmap_min_addr to lower the risks associated with common memory management errors.
- Don’t use the dynamically loading codes.
- Use the Android SDK, rather than native code with the Android NDK. Applications built with native code are more complex, less portable, and more like to include common memory corruption errors such as buffer overflows
To find out more about iOS app security we recommend to study the ‘iOS Security Guide’.
Also, there is a really useful guide for you called ‘Secure Mobile Development: Best Practices Tips for Android and iOS development’.
As an option, you can buy yourself this ‘Android Security Cookbook’ (print + eBook versions).
What else?.. Did we forget anything? Oh, yes. What about the mobile security budget? How much does it cost and how it will affect the price of your app? Well, depends on what security investments are you ready to make. Needless to say, the more serious you take it the higher will be the final price of the app. But to explore it further and dive deep into these questions you need to study the mobile security landscape on a serious level.
The security of an iOS or Android app is a top responsibility for any mobile app developer. It is essential to secure a mobile app from hackers and frauds. Mobile app development companies must train their workers to expand their mobile app security knowledge to learn how to guard critical users data against hacker attacks. It’s the only right way to reduce the risk that comes with mobile gadgets usage. The developer needs to treat the user’s personal information with respect. He or she needs to keep in mind that even though the information may look unimportant to developer, it is important to the user.