Smartphones and tablets not only penetrate into people’s everyday life but also change the way businesses organize their workflow. Enterprises streamline their business processes and enhance communication with their customers and collaboration of the employees by means of a wide range of mobile apps. This communication often implies exchange of sensitive financial or personal information. Therefore, mobile app security issues are of great importance for both developers and customers.
Security breaches introduced into the application during the development process can present ways for attackers to get access to your credentials including bank accounts and card numbers, e-mails, your personal data such as location, address book, social insurance number, social security number, etc.. Inadequate app security may also lead to major corporate data leakage and allow attackers to reach serverside file systems, user databases, key stores, etc. Rarely a week goes by without another enterprise falling prey to attackers and exposing personal information of its entire userbase to the Internet, and mobile apps and devices start to play more and more significant part in the attacks.
In this article we’ll try to bring light to some major types of security mistakes frequently made by developers.
Main types of mobile security mistakes
1. Underestimation of mobile security needs
Software developers often try to create an application with a set of advanced features and rich user interface, meanwhile forgetting about security requirements. Various functionalities, like near field communication (NFC) and QR code readers, demand a better security level than a mobile app normally provides. In most cases, developers are not security experts, so it’s important for a developer to think about security beginning with the very early stages of the app development. It’s also useful to hire a penetration-testing company that can test the app’s resistance against varied types of attacks.
2. Storing crucial data in the device memory
One of the most wide-spread mistakes developers make while creating mobile applications is allowing the app to store confidential data on a device (customer data, encryption keys and authentication information, PINs, details of the account), often unencrypted. When the smartphone or tablet is lost, stolen or compromised, sensitive information may be misused, which potentially leads to significant financial losses.
The best thing a developer can do about storing the sensitive data is to properly encrypt it or avoid storing crucial data in the device memory at all. If the same location is shared with other apps, it makes the device even more vulnerable to hacker attacks. The much more secure practice is to obtain the data from the server each time the user logs into the app and to erase it after the log-out.
3. No encryption or poor encryption
Obviously, mobile devices do not simply store the data — they send it back and forth all the time. Mobile applications allowing transmission of unencrypted or weakly encrypted data are especially vulnerable to attacks. It is vital to use appropriate encryption methods to protect sensitive data during its transfer from the app to the server and back. The attackers can break weak encryption logic to intercept the data or extract crucial information from the application.
To avoid putting user’s information under the threat of eavesdropping it’s necessary to ensure that the mobile app utilizes properly implemented encryption, such as an SSL (Secure Sockets Layer) protocal, when passing the data between a mobile device and the server. The app should stop operating and warn the user in the case of an unauthorized third-party trying to intercept the information.
4. Vulnerability to unauthorized access
Unauthorized access possibility means that the mobile application allows users to see the accounts of other users or even access deeper components of the system including administrative controls. Unauthorized access vulnerability in enterprise and personal apps is usually the result of severe mistakes and oversights in a system design and is rarely isolated to the mobile application alone. Yet,mobile app developers can avoid their portion of mistakes by adopting a focused approach towards mobile app security which implies deep understanding of the type of data sent out by the app and profound knowledge of the OS the app is developed for.
Unauthorized requests should be verified by the server and the internal alert should be triggered if there are a lot of such requests. Software developers have to understand the specific device’s features from the data security point of view to be able to decide what components should or should not be included into the application, especially when these components are of third party origin.
5. Vulnerability to hacker attacks
Thus, the code is run automatically inside the browser every time the victim visits the compromised web page, giving the hackers some control over the user’s browser and accomplishing various attacks — stealing victim’s cookies, injecting content, propagating malware, etc. SQL injection can expose the database and modify or delete the data in it using the interfaces that fail to validate or sanitize user input — most usually they are just improperly programmed input fields in the web forms. To avoid these two types of attacks it’s necessary to test the application against both of them, which is usually done by using automated tools and services designed for this purpose.
6. Poor server protection and misconfiguration
To work properly, mobile applications need to reliably and efficiently communicate with the server that hosts the backend. The wide spread developers’ mistake is allowing such server to unnecessarily share a lot of data and processes with the World Wide Web — you just have to be a little curious as to what the server has to tell you. As a result of such relaxed approach to server security, major data leakages happen all the time. If the web server is inappropriately configured, third party users may obtain unauthorized access to sensitive resources.
It is important for the mobile apps developers to clearly understand what kind of data can be exposed by the server, and reliably secure all the necessary issues, not only those that are utilized by the mobile app. Don’t hesitate to consult an experienced system administrator when you are not sure about the security of the app server.
The majority of modern enterprises and retail companies develop mobile applications to keep pace with rapidly changing technology, market demands and user tastes. People become more dependent on their smartphones, using them for performing bank transactions, paying their bills and purchasing goods online. Unfortunately, many security reports show that a lot of applications have at least some security drawbacks that jeopardize end-users and may cause financial and sensitive data loss. To reduce the number of potential vulnerabilities, app security outlook should be included into the development process from the very beginning.
Developers frequently put design and advanced features first and try to add the security layer when the app’s almost ready. Keeping app security in mind on every stage of the development process, such as app conceptualizing, defining system architecture, design, and writing the code, helps to avoid dealing with major security flaws in the future.