On a daily basis hundreds of new mobile applications are going live on Google Play, Apple Appstore, Amazon Appstore (25 million users), Tencent (80M users), Wandoujia (200M users), and so on in both paid and free apps segments. Millions of users have access to these applications and many of them download these as they need. More than 80% applications deal with some kind of sensitive personal information (SPI) such as name, gender, date of birth, address, bank/credit card details, geolocation, etc. And protecting such applications or the sensitive information has become a primary concern to app developers and enterprises equally.
Securing data is as important as securing devices and servers. Security experts advocate on securing the network, encryption/decryption, databases, servers, and devices but they mostly ignore that it is the data that is vulnerable and hence they must protect it at any cost. Here we will discuss various security challenges and methods to overcome them and hence secure mobile applications.
API Services Vulnerability
Before the Mobile Application goes live it is the API services which go live and they are not only mobile-accessible but can be accessed on the web. Developers or hackers can discover these services and then perform man-in-the-middle attacks to modify the data coming from mobile device hence compromise your systems. As a solution, the API(s) must be secured. Identification and permission to use (by the client) the API must be configured on the server side. To ensure the APIs are capable of handling security, they must be thoroughly tested by security testers.
I would recommend using a good programming language such as Java, enterprise-level libraries (open-source or commercial), industry recommended stable frameworks (e.g., OAuth 2.0) and good servers/middleware. While using open-source libraries make sure that they are reliable and secure.
Securing Offline / Device Data
Though mobile networks are widespread but they do not cover every place a user travels or intends to travel. In such cases, a user may need offline data to keep his/her work going. While every mobile application has its own set of local files, databases, and cache, it is possible for applications to access other app's data. Mobile devices too get affected by malware and in turn, data can be compromised. Mobile OS though provides security features but does not prevent attackers from achieving their goals entirely. Hence to keep your mobile application and its data safe try to avoid storing critical information on the file system or on local database unless the business requirement demands to. In such case encrypt the data you consider is sensitive while making sure it is not easily breakable. Use AES/Rijndael (symmetric block cipher which supports key sizes of 128/192/256 bits) for encryption with a higher key size, and use SHA-256 or higher for hashing. Do not ignore to decide what you need offline and what not, and plan accordingly.
Secure Your Communication Channel
Most applications are client-server based hence use a lot of back and forth communication of data over the network. Network channels are prone to tampering and eavesdropping and this is the reason one must consider securing the network either using Secure Socket Layer (SSL) or its successor Transport Layer Security (TLS) protocols.
As said above, securing your channel in this manner never ensures security to 100%. To enable two-way authentication, it is recommended to use Certificate or Public Key Pinning. Additionally, you must use right SSL version and keep your certificates updated all the time. Watch out for your network infrastructure and underlying flaws by getting it thoroughly tested for poor handshaking and weak negotiation.
Identity and Access Management
To have access to an app and operate, the user needs to validate his/her identity. Most mobile applications use Authentication policies as standard practice. If the network is not secure enough then the credentials can be easily stolen by attackers. On the other hand, the authenticated user may not be authorized to perform any kind of operation on the app. As a solution, the user must be re-authenticated from time to time and his privileges must be kept track of and upon every critical action/operation must be re-validated. Server-side Session Management plays a vital role in this case hence it must be designed well. Anonymous access to any resource must be prohibited by the server.
Enterprises and individuals encrypt data and content when they consider it to be critical. To encrypt / decrypt plaintext and binary data they follow certain algorithm but the algorithm mechanism or implementation may be flawed resulting in poor resistance to attack. Implementing cryptography using strong algorithms is one way of ensuring data security for both device-resident data, data in transit during device-to-server and server-to-device communication and on the backend data stores equally. Use strong encryption algorithms such as AES/Rijndael, Twofish, Serpent, and RC6 for encrypting the content. Get your security implementation thoroughly tested by professional security engineers.
Poor Code Review / Release
When we discuss securing applications, data and network we miss a fact that developers do introduce security flaws into code by hard coding credentials, IP addresses, URLs and backdoor access to mobile applications. Commenting out passwords or text in HTML code (hybrid or mobile web applications) does not remove them. Attackers can read such information and use to break into backend systems. A thorough code review must be conducted to see if there is any critical information hard coded inside the code or backdoor access is enabled for developers' or testers' convenience; if found these must be fixed before releasing the final product. Apple App Store and Google Play have their own code review process, which is not thorough code review, but ensure you do a thorough static code analysis and review; rewrite the code if needed.
Binary Tampering & Reverse Engineering
Smartphone applications are nothing but a number of binary files archived together into a single file. Once the application code is finalized, reviewed and released for distribution, it is usually considered secure by the developers. This is not true, though. These can be reverse-engineered by programmers to get source code, images, libraries and other important content. Attackers can access the binaries, underlying code and third party libraries used inside it. They can modify application’s data, resources, libraries, APIs etc. which may give them insight to your application, server, data stores and other critical information and architecture of implementation. Hackers will be able to duplicate the UI of the app with approximately 10% of the original effort or less. Load critical resources at runtime (from server) and remove them when not in use. Signing your binaries does not solve the issue entirely but helps to identify authentication of the publisher and integrity of the code itself. Ensure poor code review/release is addressed as well.
Server Session Management
Usually, enterprise mobile applications operate with the help of middleware or MBaaS (Mobile Backend as a Service) servers. These servers take care of a lot of aspects and one of them is session management. Once a user session is established with the server, an attacker can hack into it and perform operations on the server. Usually, these servers have session timeout as a security measure but revalidation of the user from time to time must be carried out to identify session authenticity. OAuth, SAML (Security Assertion Markup Language) or JWT (JSON Web Token) can be used for session management. Identity and access management is different from this.
When developing an application not all the platform level permissions necessary for the app. Developers must enable only those permissions the app needs to operate on and auditors must review this. Similarly, users must be educated sufficiently to understand this situation where an app is asking for accessing the information it is not intended to operate on. As a second level of security, devices must be protected with passwords in order to protect secure information and prevent unauthorized user operations. Avoid unnecessary use of security features such as Touch ID / Fingerprint Scanners.
Malware and Virus
Similar to standard computers, mobile devices run on operating systems hence are prone to malware, worms, and virus. These harmful programs are distributed via emails, infected applications, web pages, etc. Protecting your device from these programs is as important as protecting your critical data. Use a good antivirus program and refrain from rooting device (Android) or jailbreaking (iOS), opening malicious emails, web pages, attachments and side-loading applications. Alternatively, implement rooting/jailbreaking check in the Mobile Application during installation and abort if the device is rooted/jailbroken.
When developers take care of protecting unintended data leakage, many overlook the point where they send unwanted data to external resources. Integrating analytics into your application is a good idea to capture statistical information but at the same time notice what information you are sending to the external system(s). Avoid integrating such tools where you see that they are external to your application’s backend and there is no monitoring happening to the data you are communicating. Auditors must verify if there is any data leakage while reviewing code.
Additional Application / Device Security
When one loses a mobile device and the device is not protected with passcode data & apps can easily be accessed. Passwords can be cracked with some effort by expert programmers. It is advised to use these basic security policies such as password, drawing patterns and biometric fingerprints to protect your applications and data. Leading mobile manufacturers have started supplying biometric security in their devices which should be used where available. While using Bluetooth, WiFi, GPS (Global Positioning System), or NFC (Near Field Communication), Infrared Sensors applications are vulnerable to data leakage. Careful use of these features should minimize the risks. When suspected of loss or theft of a particular device, the corporate IT team should be intimated of the incident and in turn, they must initiate a data-wipe on the device via the corporate MAM/MDM (Mobile Application / Device Management), minimizing risks of misuse of the device and data. Maximum login attempts must lead to some evasive action like escalation or locking out the user, etc.