mobile apps

The Top 5 Mobile Application Security Issues You Need to Know When Developing Mobile Apps

The article is written by Prateek Panda and first published on Appknox, an online security testing platform for mobile applications.

Most recently, a lot of established companies like Snapchat, Starbucks, Target, Home Depot, etc. have been through a PR disaster. Do you know why? Simply because some attackers out there found flaws in their mobile apps and could exploit them.

The fact is that nobody really thinks about mobile security or data privacy when buying a coffee at Starbucks or while playing Angry Birds. In the rare case that someone even thinks about security, consumers always believe that developers would have taken care of it.

They think that the app is from a reputable company and apparently what could go wrong.

This is why it is important for companies and developers to be more proactive rather than reactive when it comes to mobile application security. It is important to retain consumer trust if you want to stay in this game for long.

While there are numerous things to look for under security, we've put together a bunch of areas that you can address when building mobile apps.

1. Insecure Data Storage

In the US, the Starbucks mobile app is one of the most widely used apps for mobile payment. Consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or username.

This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, the Starbucks app, the most used application in the US, with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. Starbucks scrambled to release an update later that week, too late.

Clear texts also displayed users' geo-location tracking points. With this information in hand, unauthorized individuals would have the credentials to log into the Starbucks website as well. Often people use the same username and password across accounts. This means that there is a potential to compromise additional user accounts.

As a developer, you should focus on designing apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. Data should always be stored within an encrypted data section, and the app should be marked to disallow backup.

2. SSL Issues

One of the most common issues we've seen in mobile apps is that of SSL. Most of the times, developers do not dive deep into SSL applications, and the implementation is often faulty. Often, the SSL certificates are not verified and TrustManager broken. Lack of a proper transport layer protection is an invitation to attackers to exploit your app. Click to read how SeaCat solution protects mobile app, data, and backend from SSL as well as other typical issues.

3. Data Leakages

Brands are on a roll to grab personal data. Why shouldn't they? After all, being able to personalize marketing offers to consumers is a key digital business goal. But it's essential that this desire to gather personal data doesn't compromise a consumer's privacy.

For instance, media reports recently contended that the NSA had tapped popular smartphone apps like Angry Birds to gather an enormous amount of personal data -- including age, location, gender, and more.

Now you know what "leaky" app means.

It's not just consumer apps that are at risk. Consider a healthcare app this is used to track how often a patient experiences a particular symptom of a disease. If the app also contains analytics that reports how often that same section of the application is viewed, it is possible for someone with analytics access to determine the medical condition of a particular user -- and place the provider in violation of HIPAA compliance.

We've scanned many apps that use low-grade analytics providers and advertising APIs. It is important to keep an eye on the what, how, when and where your data move. Hackers actively scout for this gold mine of information, your DATA.

4. Untrusted Inputs

Mobile apps accept data from various sources and the absence of sufficient encryption gives attackers easy access to cookies and environment variables. When security decisions on authentication and authorization are made based on the values of these inputs, attackers can bypass your security.

For example, in 2012 a flaw in Skype security allowed hackers to open the Skype app and dial arbitrary phone numbers using a simple link in the content of an email. Similarly, a bug in the iPhone 1 OS enabled hackers to listen in on phone conversations when those phones were connected to insecure wireless networks. Any app that has openings to accept data from external sources must include checks to all inputs used to build the app.

All this is complex but not something that doesn't happen frequently. Remember, an easy-to-use app won't win you any points if you put customer or enterprise data at risk.

5. Weak Server-Side Controls

It is not uncommon for businesses to expose systems while creating their first mobile applications. Often, these formerly sheltered systems are not fully vetted against security flaws. Mobile app developers are somehow mistaken that the security of their mobile apps and the back-ends are “as secure as the infrastructure at our customers.”

Here's where the issue arises - most back-end APIs assume that an app will be the only thing that will access the servers. However, the servers that an app is accessing should have security measures in place to prevent unauthorized users from accessing data. It's critical that back-end services be hardened against malicious attackers. Read on to understand the importance and value of backend security. This means all APIs should be verified, and proper security methods are employed to ensure only authorized personnel have access.

About Appknox: Appknox offers peace of mind to brand owners and the developers who create and maintain apps by doing regular security audits of their work, and alerting them to new vulnerabilities as they arise. [Website]

For more on how TeskaLabs’ solution offers active protection to secure your mobile app and its backend, get in touch with our team to get a FREE demo. Alternatively, follow us on Twitter @TeskaLabs.

Photo credits: Depositphotos

About the Author

Guest Author

A guest author is an SME of his/her topics or a friend of TeskaLabs.




You Might Be Interested in Reading These Articles

iBeacons & Mobile App - The Art of Attracting More Visitors to Museum and Art Galleries

Many museums and galleries are trying to find out ways to attract more visitors. It is obvious that institutes with better and more valuable items will attract a larger audience. However, what would you suggest the smaller museums and galleries do?

Continue reading ...

mobile

Published on September 22, 2015

Why Developers Are Boosting Up Their Mobile Application Security?

Mobile application security is a significant issue for developers. Most try their best to make mobile apps secure and safe for their users. Here are some of the other reasons why developers are boosting up their mobile application security.

Continue reading ...

security development

Published on April 14, 2015

80% of Androids Are Vulnerable to Linux TCP Flaw. But I Don’t Care!

Researchers from the University of California, Riverside, and the U.S. Army Research Laboratory have found an off-path TCP vulnerability [1] that affects more than 80% of Android mobile devices. Unlike a Man-in-The-Middle attack, you don't need to be in the middle of the communication to get hacked - all attackers need to know is who you communicate with.

Continue reading ...

android security

Published on October 11, 2016