Four rules to guarantee the security of your mobile app

As mobile services and applications are gaining importance, the vulnerabilities of mobile apps come into light. In this article, we take a closer look at the Open Web Application Security Project (OWASP) Mobile Top 10 vulnerabilities and classify them into four simple rules in order to gain insight and learn how to apply them. You will never forget even one of the Top 10 after reading this!  

In this era of digital business transformation, mobile services and applications are gaining special importance. No secret, the growth of mobile internet is exponential and accelerates the demand for mobile apps development: everyone prefers to have your service on his mobile.   

On the other hand, with the rapid growth of mobile use, the vulnerabilities of mobile apps come into light. Mobile applications bring fast revenues and developers rush to build apps rapidly, often ignoring security requirements. Mobile apps constitute the biggest attack vector of the modern IT technology today  

Smartphones 

With 60 percent of devices containing or accessing enterprise data being mobile, hardening the defense on a smartphone becomes crucial. A device itself is the weak point: it can be breached in numerous ways and used to leak the sensitive data. There is no other solution than implementing native in-app security controls, which do not depend on a platform or a smartphone user.  

Luckily, both Android and Apple platform developers understand the problem and regularly update their guides for secure coding. The Open Web Application Security Project (OWASP), with its focus on practical application security, maintains a well-known list of Mobile Top 10 vulnerabilities, Mobile Application Security Verification Standard and MASVS testing guide. With so many tools and guides it is not easy to find a correct orientation and strategy. In a nutshell, what are the crucial aspects mobile app developers should keep an eye on?   

In our opinion, the best way to be aware is to simplify. In practice, Top 10 lists are often overlooked because they are hard to interpret. Let’s try to understand OWASP's Top 10 mobile risks from the most pragmatical perspective. We propose you a short list of four easy to understand recommendations avoiding ambiguous formulations, that will keep you aware of the security in your app.  

Here is a simple mind-map:

Rule 1. Use your platform and API calls correctly: M1 and M10

Very often default Android/Apple platform functionality or API calls are used insecurely. OS functions such as TouchID, Keychain, Android intentions can be bypassed for malicious actions. Example: FitnessBalance App and Heart rate Monitor App used TouchID function in order to steal money by accessing your Apple store account.

Rule 2. Protect your data: M2, M3, M5

Mobile devices being an important attack vector puts data-at-rest and in-transit security and privacy at risk. Developers should apply good practices for secure data storage and communications (i.e. last version of TLS with obligatory mutual authentication, encrypted storage and resilient key management, monitoring tools to check memory access and violation).
Example: Dating apps such as Tinder or Bumble have been criticized for insecure storage, leaking private data of users.

Rule 3. Have your access controls in place: M4, M5, M6

Very often access control functions such as authentication, authorization and encryption are badly coded, use insecure API calls or do not take all possible attack scenarios into consideration. Of course, developers are not security specialists and they need help from a security expert to understand how to implement critical security procedures such as authentication.
Example: Android Health app used insufficient cryptography for storing patients' data and put patients to risk.

Rule 4. Take care of your code: M7, M8, M9

Building apps in a short time causes poorly written or unprotected code. A common attack scenario is reverse engineering in order to access sensitive information and code. Anti-tampering methods such as obfuscation, should be used in all mobile apps.
Example: the British Airways app leaked thousands of card numbers of its clients because of poorly written code, that was reverse engineered.

Following these four rules (or putting defense controls to these attack surfaces) will guarantee protection from the majority of attacks.

Want to know more? Attend our workshop!

Sirris is looking for software companies in order to share the insights on mobile security. In the context of the ESF project, we propose a comprehensive workshop on trusted mobile apps designed as a pragmatical guide for critical security tools and practices for start-ups and scale-ups.

What to expect? Minimum theory (though the security experts will be available after the session to answer your questions) and maximum practice/hands-on/tools and training

Topics covered:

  • Top 10 vulnerabilities and attacks - understand from the core
  • Golden rules for the secure mobile app start-up - do your own check-up!
  • Secure coding: obfuscation, anti-tampering tools and best practices
  • Securing your data: data privacy how-to, secure mobile storage and communication, step-by-step
  • Security testing automation: How to manage and use the security scanners to facilitate and assure your code quality?
  • Authentication and key management: how-to and common errors
  • Best tools for security requirements generation
  • Platform-specific tools and vulnerabilities

Questions? Contact us! 

Tags: