Mobile app market has grown tremendously as enterprises bring in innovative products and services for the users. However, malicious hackers are targeting on applications with sophisticated attacks. Therefore, security of mobile apps has become a top level concern for all stakeholders.
App market is huge, and in the coming years, there is considered to be almost 2 million smart phone users worldwide and by 2017, the app market will be worth $77 billion.
During a research conducted by HPE, almost 2000 mobile applications from over 600+ companies were tested. The results show that:
• Around 97% of tested apps access at least one private information from that application.
• 18% of applications sent user names and passwords over HTTP; 18% implemented SSL/HTTPS incorrectly.
• 75% of applications do not use correct encryption methods for the storage of data from the mobile device.
• 71% of applications failed to use binary hardening protections against cyber-attacks.
Recently, there has been a major shift in the app security where it is given more attention. App security is a big area. Therefore, it is important to know the trends available and you should also be aware of how well you can align them according to the need of the organization.
Common App Security Threats
The most common security threats in mobile applications are:
1) Threats in App Store Security: The type of platform chosen for the mobile application development does impact on security. Most of the apps might contain significant vulnerabilities, and nearly 90% have vulnerabilities.
In the case of iOS devices, Apple takes app security seriously and allows the users to access the level of the apps used. But Android devices, tend to have more app security issues than that of iOS due to Android’s wider range of device type, operating system and more App Store requirements.
2) Cross Devices Threats: aren’t the only place where secure information should be provided not only to mobile devices. Many stores allow users to download apps from desktop devices and later added to mobile devices and through this way, cross device threats occur.
3) IoT Devices: The aim of IoT devices is to collect user data and use that information to take ‘smart’ automation decisions. In the case of Android devices, IoT devices allow connections with many other operating systems making the security of the devices in risk and difficult to control.
4) Usage of Single Devices: Enterprise-level applications contain sensitive corporate information, which has to be kept secure in all possible ways. As most of the employees use a single device for all purposes, sensitive information can get mixed with personal information, thus, risking security.
5) Mobile Malware: Mobile phones are susceptible to Trojans, spyware and viruses. These can steal confidential data.
6) Unauthorized Access: Unauthorized users can access email accounts, applications, social media networks and many more details.
Best Practices to Protect Your Application
Let’s look at a few steps for mobile app security:
1) Secure App Code
Encryption is the best method to protect the app code. Stick on to modern, well assisted algorithms incorporated using API encryption.
• Source code test for checking vulnerabilities.
• App code should be transferable between the operating system and device.
• Runtime memory, file size, performance, data usage etc. should be noted while adding security.
2) Include Authorisation, Identification and Authentication
APIs, authorization and authentication adds security to login of an app. Make sure, that app APIs provides access only necessary parts of apps. This minimises vulnerability.
• Standard protocol OAuth2 is used to secure connections. Installing this protocol collects credentials and then, allows permission between the end user and client
• OpenID Connect allows re-usage of same credentials within multiple domain
3) Apps should be Secured from Back end
Servers should have security measures to prevent unauthorized access and protect confidential data. APIs that access the servers should be verified before passing from the client to the database and app’s server.
• Containerization is a method to securely store the documents and data
• Penetration testing(testing a network/Web application to find vulnerabilities) should be done by consulting with a network security specialist to ensure data protection.
• Encryption using SSL (Secure Sockets Layer), VPN(Virtual Private Network) and TLS (Transport Layer Security) add app security.
4) Implement Mobile Encryption Policy
Some kind of apps release users data without permission. Here, data is protected on file-by-file basis.
• Key Management should be a priority.
5) Repeated Testing of App Software
This is the most crucial step in the case of mobile app development process. While testing your app, make sure that security is tested along with usability and functionality tests. Emulators for operating systems, devices and browsers lets you test how an app performs.
6) Solid API Security Strategy
A solid APIs are a main channel for functionality, content and data. Ensuring proper security of API is important. Main security methods in an API security stack is authentication, authorization and identification.
7) Increasing Code Complexity
Making your app more complex internally can make it difficult for the hackers to attack the app.
8) Protect Internal Resources
Resource that does not require public Internet access should be restricted using network segmentation and firewall rules. Compromising on administration or other resources can lead to extensive damage.
9) Avoiding Catching App data and Crash logs
Developers can configure Android and iOS devices by preventing HTTP caching. Also, avoid caching of page data and URL history for any app processes. In the case of crash logs, ensure that released apps are built without warnings and are tested to avoid crashes.
10) Implement ATS (App Transport Security)
Ensure secure connections between back-end server and app. When ATS is enabled, HTTP connections are forced to use HTTP and attempts to connect with devices using insecure HTTP will fail.
Many consumer and enterprise mobile app work on a single device; but, they appear to act independently with different functionalities. However, without proper security built in mobile applications, hidden integrations and data hacking might definitely happen.
Some of us think that cyber-attacks happen only to big co-operates ;however, the reality is that we all are potentially at risk even while doing something as simple as downloading a mobile app to your smart phone. Follow best practices and rely on security experts to keep your app safe from threats.