“Gartner Listed - mobile application security guide”

March 1, 2017

Common security mistakes in mobile app development

For companies without a mobile app it offers new opportunities to engage with and understand users, however, before building a mobile app you need to consider potential risks and the importance of mobile app security testing.

Accounting for the risks is necessary when more mobile apps are being exposed as vulnerable and used as a starting point for hacking.  One of the problems is the design of mobile apps and the difficulty of writing secure code. We take a look at how to develop a secure mobile app and address common security mistakes.

What risks does the mobile app pose to your company and your users

The first step is to understand the risks that your company and your users may face due to a mobile app. When considering this you need to weigh up potential threats and attacks alongside mitigations and contingency measures as part of “threat modelling”.

For most companies risks will be centred on personally identifiable information theft, financial theft, and credential theft. Your company’s wider tech infrastructure may be at risk if the app exposes the backend services it uses.

Bringing security into the development process

Security is often the lowest priority in terms of time and budget when developing a mobile app, instead the focus is on making a good experience for the user and getting the app released on time.

End of development testing and remediation will incur more time and costs than focusing on it from the start. To counteract, use the OWASP Mobile Top 10 to write mobile code that adheres to best practices and look at bringing in mobile app security into the development lifecycle.

Do regular mobile app security testing

A lot of companies release new mobile apps with doing any security testing, either engaging a penetration tester or making use of a tool to aid testing during the development cycle.

Even if the first release of the app is tested and thought of as secure, it’s necessary to continue testing each release to stop regressions and problems that emerge when deploying new features.

Are you using strong encryption?

Up to 35% of mobile device communications are unencrypted, showing that developers often make mistakes in this area, this has the potential to expose your users to theft of personal and financial data, account hijacking and a range of other problems.

As well as doing mobile app security testing of the app’s encryption you need to ensure that the app uses “end-to-end” encryption between the device and the backend. Any data stored on the device itself also need to be encrypted, preferably using the phone’s own encryption.

Mobile app security testing for secrets

It’s important to test your mobile app for secrets and check secret management for exposure of credentials, API keys, and private certificate keys. Attackers are on the lookout for these to aid their compromise of the user or the app.

When doing mobile app security testing for secrets you to need to check for plaintext storage of logins and passwords, what data is being logged, whether the credentials are stored in the app’s code. Test for these and avoid storing secrets, keys, passwords, and certificates in source code or config files as these will be exposed.

Limit your risk

A lot of mobile apps will make permission requests for hardware that the app has no need to use.

Question whether your company needs to request access to a device’s GPS data or to put web content inside the app using UIWebview.

These kind of features lead to a wider attack surface, weakening overall security. More stored data equals more potential exposure and damage.

Responding to mobile app security incidents

There’s no way to guarantee that your code will be 100 percent secure code. Vulnerabilities will emerge in spite of best practices, mobile app security testing, and baking security into development.

All companies need to develop well thought out contingency plans that  focus on i. incident monitoring tools (IDS/IPS, SIEM, exfiltration monitoring) to detect suspicious activity on the backend; ii. create internal and external incident response teams to react to any threats; iii. put in place procedures and policies to limit how far reaching and damaging an attack maybe, including turning off parts of the network.

Companies need to use mobile apps to engage with their customers, however, there is a clear need to prioritise security and mobile app security testing. Developing the app with the admission that there will probably be breach will help to price in potential risk and consequences. Baking in security, doing frequent mobile app security testing, and asking ‘what’s the worst that could happen’, companies can be confident in their mobile apps.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.