The Top 5 Mobile Application Security Issues You Need to Know When Developing Mobile Apps
The article is written by Prateek Panda and first published on Appknox, an online security testing platform for mobile applications.
Most recently, a lot of established companies like Snapchat, Starbucks, Target, Home Depot, etc. have been through a PR disaster. Do you know why? Simply because some attackers out there found flaws in their mobile apps and could exploit them.
The fact is that nobody really thinks about mobile security or data privacy when buying a coffee at Starbucks or while playing Angry Birds. In the rare case that someone even thinks about security, consumers always believe that developers would have taken care of it.
They think that the app is from a reputable company and apparently what could go wrong.
This is why it is important for companies and developers to be more proactive rather than reactive when it comes to mobile application security. It is important to retain consumer trust if you want to stay in this game for long.
While there are numerous things to look for under security, we've put together a bunch of areas that you can address when building mobile apps.
1. Insecure Data Storage
In the US, the Starbucks mobile app is one of the most widely used apps for mobile payment. Consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or username.
This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, the Starbucks app, the most used application in the US, with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. Starbucks scrambled to release an update later that week, too late.
Clear texts also displayed users' geo-location tracking points. With this information in hand, unauthorized individuals would have the credentials to log into the Starbucks website as well. Often people use the same username and password across accounts. This means that there is a potential to compromise additional user accounts.
As a developer, you should focus on designing apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. Data should always be stored within an encrypted data section, and the app should be marked to disallow backup.
2. SSL Issues
One of the most common issues we've seen in mobile apps is that of SSL. Most of the times, developers do not dive deep into SSL applications, and the implementation is often faulty. Often, the SSL certificates are not verified and TrustManager broken. Lack of a proper transport layer protection is an invitation to attackers to exploit your app. Click to read how SeaCat solution protects mobile app, data, and backend from SSL as well as other typical issues.
3. Data Leakages
Brands are on a roll to grab personal data. Why shouldn't they? After all, being able to personalize marketing offers to consumers is a key digital business goal. But it's essential that this desire to gather personal data doesn't compromise a consumer's privacy.
For instance, media reports recently contended that the NSA had tapped popular smartphone apps like Angry Birds to gather an enormous amount of personal data -- including age, location, gender, and more.
Now you know what "leaky" app means.
It's not just consumer apps that are at risk. Consider a healthcare app this is used to track how often a patient experiences a particular symptom of a disease. If the app also contains analytics that reports how often that same section of the application is viewed, it is possible for someone with analytics access to determine the medical condition of a particular user -- and place the provider in violation of HIPAA compliance.
We've scanned many apps that use low-grade analytics providers and advertising APIs. It is important to keep an eye on the what, how, when and where your data move. Hackers actively scout for this gold mine of information, your DATA.
4. Untrusted Inputs
Mobile apps accept data from various sources and the absence of sufficient encryption gives attackers easy access to cookies and environment variables. When security decisions on authentication and authorization are made based on the values of these inputs, attackers can bypass your security.
For example, in 2012 a flaw in Skype security allowed hackers to open the Skype app and dial arbitrary phone numbers using a simple link in the content of an email. Similarly, a bug in the iPhone 1 OS enabled hackers to listen in on phone conversations when those phones were connected to insecure wireless networks. Any app that has openings to accept data from external sources must include checks to all inputs used to build the app.
All this is complex but not something that doesn't happen frequently. Remember, an easy-to-use app won't win you any points if you put customer or enterprise data at risk.
5. Weak Server-Side Controls
It is not uncommon for businesses to expose systems while creating their first mobile applications. Often, these formerly sheltered systems are not fully vetted against security flaws. Mobile app developers are somehow mistaken that the security of their mobile apps and the back-ends are “as secure as the infrastructure at our customers.”
Here's where the issue arises - most back-end APIs assume that an app will be the only thing that will access the servers. However, the servers that an app is accessing should have security measures in place to prevent unauthorized users from accessing data. It's critical that back-end services be hardened against malicious attackers. Read on to understand the importance and value of backend security. This means all APIs should be verified, and proper security methods are employed to ensure only authorized personnel have access.
About Appknox: Appknox offers peace of mind to brand owners and the developers who create and maintain apps by doing regular security audits of their work, and alerting them to new vulnerabilities as they arise. [Website]
Photo credits: Depositphotos
Most Recent Articles
- From State Machine to Stateless Microservice
- Entangled ways of product development in the area of cybersecurity #3 - LogMan.io
- Entangled ways of product development in the area of cybersecurity #2 - BitSwan
- Entangled ways of product development in the area of cybersecurity #1 - Asynchronous or parallel?
- State machine miracle
You Might Be Interested in Reading These Articles
We are a security Cat, specializing in mobile application security. You know that. In the last couple of months, we happened to stumble onto another tech domain: Business Intelligence (BI).
Published on December 26, 2014
MazelTov and the Russian Underground Have It Going for Your Android Devices. But Not for Good Reasons
The Internet has been a good place for individuals and businesses. However, it's fast-becoming a leading medium for criminals in this cyber war against people like you and I. One example is the Russian underground that sell anything to do with cyber crime. On their websites, you can find any type of Trojans, exploits, rootkits and fake documents.
Published on May 19, 2015
The Joint Research Centre of the European Commision (EC JRC) released the eight edition of the European Certificate Trust List (ECTL) used in Cooperative Intelligent Transport Systems (C-ITS). L0 ECTL v8 contains five new Root CA certificates and one re-keyed Root CA certificate. Three out of five newly inserted Root Certificates are installations that run on the TeskaLabs SeaCat PKI software for C-ITS.
Published on September 16, 2021