Assessing Security Risks for Devices and Data during Mobile Solution Development
Mobile solutions have found their way into almost every area of human activity including business, education, communication, payments, financial transactions, and entertainment. Mobile devices and data stored on them require additional protection as they are more exposed to different threats – both physical and digital – in comparison with desktops and laptops.
It’s important to think of different threat models while developing and deploying solutions for handled devices. Such models could include evaluation of the major known vulnerabilities and possible attacks vectors and their impact. In this article, we discuss some security risks which come up during mobile apps development and solutions that could help in mitigating those risks.
Sensitive data leakage through malicious 3rd party apps
Handheld devices contain different types of confidential information including user location, contact lists, e-mails and documents, personal photos, IM chatting histories, etc. To protect sensitive data from potentially malicious software apps created by untrustworthy 3rd parties it’s important to limit access to crucial data and functionality.
Mobile application platforms, as a rule, establish rather strong limits for apps’ access to sensitive information or device capabilities (such as camera or microphone), but users can still allow this access, often because of indiscretion or complicated app UI, and thus open private data up to access by malicious software.
Software developers should try to save users from such troubles and limit potential damage by forcing their apps to ask only for permissions necessary for accomplishing the app’s specific goals. Storing sensitive data in encrypted form is also one of the solutions to the problem of leakage if it doesn’t lock user data within one specific app forever.
The device with confidential information is lost
Despite the rise of cloud services, mobile devices still rely primarily on their local storage capabilities, meaning that information is stored locally in databases, files, etc. Smartphones and tablets are lost quite often, so it’s preferable for developers to minimize crucial data storage on the device. Encryption can be used here, too, if it’s necessary to store sensitive data on the mobile device and there’s no way to use some kind of cloud storage.
Keep in mind that even encrypted information can often be compromised by reasonably skilled attackers, especially if some poorly tested proprietary encryption algorithm has been chosen as a solution.
Unencrypted data leakage via network communications
Of course, mobile apps require access to network infrastructures like Wi-Fi hotspots, home ISPs, corporate networks, etc. It’s important for software developers to take this fact into account and avoid sending confidential data via unencrypted connections and/or protocols to preserve it from being easily intercepted and interpreted by attackers.
Proper identification and verification of both connected parties (i.e., the server and the client app/device) and choosing the appropriate encryption or protocol is vital for providing a necessary level of security when transferring sensitive data (or, perhaps, any data at all).
Vulnerabilities connected with native code execution
Execution of the native code may pave the way for a set of specific, low-level, and platform-dependent threats like format string attacks and buffer overflows. Software developers may take measures to avoid these problems, for instance, using managed code to ensure automatic memory management. Another way of preventing such attacks is to use non-executable stacks and address space layout randomization (ASLR) techniques supported by separate mobile platforms.
Threats connected with mobile browsers
Many successful attacks on mobile platforms are accomplished via mobile browsers, so developers should understand how mobile platform uses and interacts with the browser. To provide a better user experience app developers often register their applications for processing requests/content which is initially processed by the browsers.
This allows attackers to seed malicious websites with links that change the application’s behavior by supplying it with specifically forged parameters. To prevent this kind of exploit it is necessary to study the capabilities of the application to properly validate the incoming data and request confirmation from users before performing certain actions.
Conclusions
Mobile devices need to support multiple security measures that combine built-in security features and additional security controls of the OS level. Mobile applications are exposed to both low- and high-level threats and vulnerabilities.
Therefore, software developers need to clearly understand the capabilities of the selected development platform. It’s important to securely design, build, and thoroughly test mobile applications while keeping in mind potential ways of sensitive data leakages. Threat modeling helps to identify major security concerns and design mobile solutions appropriately. Software developers should realize threats the system is exposed to and visualize the created app as a part of this specific system.
The vital rule for app developers is to be careful with types of data stored in mobile device’s memory and ways of storing this data, to thoroughly follow access permissions guidelines for mobile platform in question, and design secure application architecture from the system level and up to ensuring usage of secure communication protocols at all times.
