The Top 5 Mobile Application Security Issues You Need to Know When Developing Mobile Apps
The article is written by Prateek Panda and first published on Appknox, an online security testing platform for mobile applications.
Most recently, a lot of established companies like Snapchat, Starbucks, Target, Home Depot, etc. have been through a PR disaster. Do you know why? Simply because some attackers out there found flaws in their mobile apps and could exploit them.
The fact is that nobody really thinks about mobile security or data privacy when buying a coffee at Starbucks or while playing Angry Birds. In the rare case that someone even thinks about security, consumers always believe that developers would have taken care of it.
They think that the app is from a reputable company and apparently what could go wrong.
This is why it is important for companies and developers to be more proactive rather than reactive when it comes to mobile application security. It is important to retain consumer trust if you want to stay in this game for long.
While there are numerous things to look for under security, we've put together a bunch of areas that you can address when building mobile apps.
1. Insecure Data Storage
In the US, the Starbucks mobile app is one of the most widely used apps for mobile payment. Consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or username.
This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, the Starbucks app, the most used application in the US, with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. Starbucks scrambled to release an update later that week, too late.
Clear texts also displayed users' geo-location tracking points. With this information in hand, unauthorized individuals would have the credentials to log into the Starbucks website as well. Often people use the same username and password across accounts. This means that there is a potential to compromise additional user accounts.
As a developer, you should focus on designing apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. Data should always be stored within an encrypted data section, and the app should be marked to disallow backup.
2. SSL Issues
One of the most common issues we've seen in mobile apps is that of SSL. Most of the times, developers do not dive deep into SSL applications, and the implementation is often faulty. Often, the SSL certificates are not verified and TrustManager broken. Lack of a proper transport layer protection is an invitation to attackers to exploit your app. Click to read how SeaCat solution protects mobile app, data, and backend from SSL as well as other typical issues.
3. Data Leakages
Brands are on a roll to grab personal data. Why shouldn't they? After all, being able to personalize marketing offers to consumers is a key digital business goal. But it's essential that this desire to gather personal data doesn't compromise a consumer's privacy.
For instance, media reports recently contended that the NSA had tapped popular smartphone apps like Angry Birds to gather an enormous amount of personal data -- including age, location, gender, and more.
Now you know what "leaky" app means.
It's not just consumer apps that are at risk. Consider a healthcare app this is used to track how often a patient experiences a particular symptom of a disease. If the app also contains analytics that reports how often that same section of the application is viewed, it is possible for someone with analytics access to determine the medical condition of a particular user -- and place the provider in violation of HIPAA compliance.
We've scanned many apps that use low-grade analytics providers and advertising APIs. It is important to keep an eye on the what, how, when and where your data move. Hackers actively scout for this gold mine of information, your DATA.
4. Untrusted Inputs
Mobile apps accept data from various sources and the absence of sufficient encryption gives attackers easy access to cookies and environment variables. When security decisions on authentication and authorization are made based on the values of these inputs, attackers can bypass your security.
For example, in 2012 a flaw in Skype security allowed hackers to open the Skype app and dial arbitrary phone numbers using a simple link in the content of an email. Similarly, a bug in the iPhone 1 OS enabled hackers to listen in on phone conversations when those phones were connected to insecure wireless networks. Any app that has openings to accept data from external sources must include checks to all inputs used to build the app.
All this is complex but not something that doesn't happen frequently. Remember, an easy-to-use app won't win you any points if you put customer or enterprise data at risk.
5. Weak Server-Side Controls
It is not uncommon for businesses to expose systems while creating their first mobile applications. Often, these formerly sheltered systems are not fully vetted against security flaws. Mobile app developers are somehow mistaken that the security of their mobile apps and the back-ends are “as secure as the infrastructure at our customers.”
Here's where the issue arises - most back-end APIs assume that an app will be the only thing that will access the servers. However, the servers that an app is accessing should have security measures in place to prevent unauthorized users from accessing data. It's critical that back-end services be hardened against malicious attackers. Read on to understand the importance and value of backend security. This means all APIs should be verified, and proper security methods are employed to ensure only authorized personnel have access.
About Appknox: Appknox offers peace of mind to brand owners and the developers who create and maintain apps by doing regular security audits of their work, and alerting them to new vulnerabilities as they arise. [Website]
Photo credits: Depositphotos
Most Recent Articles
- Five Ways AI And Machine Learning Can Enhance Cybersecurity Strategy
- C-ITS ITS-S Security microservice
- C-ITS PKI as a Service
- Creative Dock, TeskaLabs, Indermedica, Czech Ministry of Industry and Trade and Line 1212 launch the indicative test for new COVID-19 coronavirus
- Cyber-health with a password and an antivirus program is not enough
You Might Be Interested in Reading These Articles
OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2 (CVE-2016-0800)
DROWN is caused by legacy OpenSSL SSLv2 protocol, known to have many deficiencies. Security experts have recommended to turn it off, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.
Published on April 12, 2016
Officially released a month ago, the latest Google mobile OS version has made a few major adjustments, particularly in its security features. The search giant has improved the security in the Android Nougat (or also known as Android N) from strengthening the Android itself to some tools that helps developers to keep things as it is while users install apps.
Published on November 15, 2016
The enterprise world is changing. In the past, enterprises built their IT infrastructure as isolated data fortresses and did everything they could to prevent outsiders from accessing their data. But now they need to open that fortress to allow communication via mobile technologies. And this hole is where hackers strike.
Published on July 07, 2015