A Guide to Mobile App Security
Mobile apps are the deal nowadays. That is true, given that most traffic now emanates from personal devices.
However, mobile apps don’t always seem trustworthy to customers. Not even the most amazing features and most crisp graphics will ever be enough to keep app users from deleting an app that they think is compromised in terms of security.
Check out these cool tips and you may be able to rest easy with your customers being protected from hackers.
One attack is all it takes to ruin your reputation and, in some cases, liabilities to shut you down!
Let us take a walk in the mobile app security, here are a few suggestions:
Coding is one of the most vulnerable aspects. You lose one security aspect, and your app is out waiting for cybercriminals to make a heyday. They will reverse engineer your code on the drop of a hat if you do not follow secure coding.
Here is the thing to do – follow android and iOS hardened code best practices, do not make shortcuts part of your coding routine; be a software engineer, not just a programmer. Look for things like code signing and secure programming.
How do you save your data? How do you talk to your server?
How do you keep your customers and your app information secure? Do ensure you have the mechanisms in place to govern protection? You owe it to your users to keep them protected – never save or transmit cleartext. MITM (Man in the middle) attacks and data loss need security when your systems get compromised. Think SSL (Secure Socket Layer) when transmitting and private/public key encryption when storing.
There are multiple types of SSL certificate out of which a website owner can choose any SSL certificate as per the site’s requirement. For example, SAN SSL certificate to protect multiple domains or subdomains.
Never use libraries that are not trustworthy – yes, they make your development easy, but not worth it if security gets compromised.
And, stay in touch with updates. Most good ones keep upgrading though their lifetime – you need to ensure you work with the ones that stay aware of the latest security threats and keep sending updates. Never use libraries you cannot trust.
As mobile apps developers, we have to use service APIs. Some from Google and well-known partners, and sometimes proprietary. The key is to ensure authorization, which can be tracked and trusted upon. No open APIs, which may seem easy to consume but then, you have no guarantee on security or performance.
It sometimes gets tempting to ask for a lot more app privileges than needed – and most users are more than happy to say “Yes” when prompted for access to things like contacts, messages, etc. Do not use more privileges than needed – after all, you are responsible for keeping your customers safe.
Asking for more than what is needed is asking for trouble. Stay away from requesting more privileges than required for smooth app functioning.
Have a clear line on when you open and close a session; do not have extended sessions that may expose your users to unneeded security risks. Imagine a lost or stolen device and someone else getting hold of the session? Try using 2-factor authentication to validate lost sessions.
This goes along with encryption/decryption we discussed with SSL above. The thing here is not to store local keys that can be exposed. You have to manage the key store very carefully – never let your private keys out, some of which may be used by the app for SSH transfers or API connections.
Use the highest level possible, based on the negotiated security protocols with the servers you connect to – for data interchange.
Make use of the best password policy possible. Enforce strict strong passphrases, such as using a “non-dictionary” combination of upper case, lower case, numbers, and special chars.
Do not allow the use of personally identifiable user id and password combinations – also, see if you can send them some token to validate once in a while to ensure they still own the device. Sometimes, lost devices are the most significant security threats and saved passwords from killing the protection goal once the device changes hands.
Never send sensitive information on SMS. Most phones are set up to expose the messages even if the device is locked, as a preview – hide the personal data from the peering eyes of the public.
It is tempting to make use of free and open tools. Never make use of any mobile development tools that do not have a reputation for security, not only to begin with but also as continuous releases to ensure continued app security.
Make sure it is easy to teach these tools and enhancements in your patches – there is no point being a slave to frameworks you cannot make part of your continuous secure mobile app development process.
Code reviews catch what nothing else can. No matter, what tools you use or what practices you stick to – code reviews (both automated and done by senior programmers) will help you improve, not only in secure coding but also in terms of efficiency.
Irrespective of how careful you are, there are traps no human can explore. Use automated tools to analyze your mobile app for known vulnerabilities.
Most such tools are updated regularly to catch known malware and security holes – stay updated.
In summary, code carefully and watch out for security holes. Please make use of secure coding practices (not to mention the everyday things such as SQL injection, assuming you got it covered), to prevent client-side scripting hacks.
As ever, stay in touch with the latest trends in security, and yes, never forget your tools. Humans need to be consulted, and you can never be too careful, use automation to your best possible advantage – do the best, and put out the most secure app possible.