Mobile App Security : Threats and Solutions
Smart phones have replaced our memo pads, checkbooks, accounts, id proofs, cameras, mini storage devices, and almost anything else holding our critical data. Critical data needs stringent security, and we must ask ourselves: How safe are these mobile apps and how safeguarded is the data stored in them?
Why should you be worried about Mobile App Security?
Have you ever used utility apps like phone barcode scanners? Are you a business owner running a process on an enterprise app? Whether you are an individual or a firm, your trade secrets, quotations, employee data, and other sensitive information are out there. You could be a start-up or a SMB with a retail app that stores user’s credit card and bank account details. You could be a “freemium model” app owner, trading money for features. Or you could be an individual providing access to your media files and portfolio to use the dog face filter in snapchat. Whenever you trade your data for an app service and vice-versa, do you know if and how your data safeguarded?
Mobile app security is an essential but highly underrated aspect of a mobile application. Too often neither app owners, nor app users consider the threats that arise from leaving loopholes in app security.
How and Why do mobile apps access your data ?
When you download an app on your s device, a box appears warning us that the app will access data such as media files, your registered e-mail id and and any native device features that are relevant to the app. As users we click ‘allow’ and accept a free installation. In return we let multiple third parties integrated into the application access our data and device functions.
All is well, but you need to know who is working to secure the critical data to which you have given access while installing your last app.. Hint: It’s the mobile app development firms like us.
These statistics will Appall You!
53 percent of mobile commerce frauds are monetary frauds. These are carried out using stored credit card details. The rest 47% could be identity thefts, banking frauds and data phishing.
Mobile store/app merchants lost 70% more revenue to fraud in the year 2014 than 2013, which means that the hack attacks are getting more sophisticated and rampant.
Identity theft, hacked facebook accounts, doctored photographs, financial losses , these are the cost of lost data that you have to pay with the cost of a lost device. What are the mistakes certain app development firms and app owners make and how to fix them? We’ll tell you because we work relentlessly towards securing all mobile apps that we build.
Mobile App Security breach #1 : High risk interactions and transactions unsecured.
Mobile apps are built to interact with back-end services. In Enterprise apps like CRM apps for specific companies, the back-end data is stored using third party integration. Similarly there are third party integration involved whenever an app pulls out data from the cloud.
Integrations are like joints in a chain, the chain is just as strong as the weakest link. All integrations with the backend require security. Encrypting data using encryption algorithms such as SSL (Socket Security Layer), which is the most widely used algorithm for online encryption currently. The TLS (Transport Layer Security) could also be employed for added security.
Another critical integration is the integration of payment gateways into your applications.
For such gateways and express checkouts that store your debit/credit cards to allow one click payments, there are certain security standards which are followed . PCI DSS ( Payment Card Industry Data Security Standards) guidelines should be adhered to.
|Control objectives||PCI DSS requirements|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect cardholder data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement strong access control measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an information security policy||12. Maintain a policy that addresses information security|
Table source: Wikipedia
Mobile App Security Breach #2: Critical Data Management After an Attack.
In CRM applications, social media APIs, geolocation apps the data that remains stored is personal and is meant to be kept private. Data leaks can ruin people. Thus applications storing personal data need protocols and adherences.
When can this data be compromised?
There are two situations in which this data will be compromised.
1. Device Theft
2. Hacker attack.
What are the solutions?
The solutions to this problem can either be device specific or app specific.
If it’s the former situation and you lose your device, most of them come with the remote selective wipe off. Which means that you can erase sensitive data from your device. Most phones come with a security logins that allow users to do the same.
In case you device is stolen or misplaced you can even use selective wipe for apps. Apps like Google +, Gmail, (basically all google applications connected to a google account) on an android /iOS device allow users to delete sensitive information, block specific device access or simply wipe off the application and user account from the stolen device. This applies to all popular social media apps like Facebook, LinkedIn, Google+,etc.
Similarly Enterprise apps like CRM applications or internal employee management systems should also have a self destruct code that eliminates critical data in case someone loses their phone or is under a hacker attack. To ensure that employees that leave the firm no longer access the information, selective or partial wipe off options in these applications should be added as well.
Mobile App Security Breach #3: Fake App Versions That Misguide Users.
The better the mobile app security becomes, the worse the threats become. Faking an app is another malicious practice amongst hackers, cyber criminals. The modus operandi is to obtain a public copy of the application code, replicate an app, have unsuspecting users download the fake version and then extract confidential data for nefarious activities.
Is there a method to secure apps against fake versions ? Yes.
In their own interest , the users should always download apps from Appstore or Playstore.
Any other source should be avoided. Devices generally notify users that they are about to download apps from untrusted sources.
The rest depends on using safe standards of development that includes secure code, encrypted data .
Especially while using third party integrations or cross app integrations. The third party applications should be verified as well. Bugs and malfunctioning code should be fixed and high quality standards should be maintained. Re-usable code should be safeguarded.
All integrations should exchange encrypted data. Regression tests should be run on integration codes well before the system testing is performed. Each integration can be treated as a code unit for Unit testing.
Security in mobile application development should be uncompromised, any solutions that we have suggested above are solutions we have implemented to build our own applications.
Our strict adherence to OWASP standards is a key factor in the development of absolutely secure apps. We also implement binary security in native applications for iOS.
Stick to the blog to know more about our security practices for native apps catering to specific OS. Leave in suggestions and concerns regarding your app’s security and our inhouse experts will get back to you with answers.