Common Mobile App Security Threats and Making Your Mobile App More Secure
In a recent survey, Arxan found that despite the ever-increasing threat to app data and mobile app security, only 32% of respondents said that their organization feels an urgency to secure mobile app data, and only 42% of respondents said that their organization felt securing IoT app data was an urgent matter. For many companies, the lack of budget for proper security measures means that corners are often cut in security, risking both sensitive company data and private user information.
Additionally, over 429 million identities were reported compromised, and a Symantec report claims that at least 113 million compromised identities were not reported by the company at fault. Including the estimated amount of unreported breaches, it’s estimated that more than 500 million sets of personal information were exposed in 2015.
Common App Security Threats
What are some of the most common security threats in mobile apps, and how can you secure your app’s data and user information?
Single Device Usage
Many mobile apps, especially enterprise-level applications, contain sensitive corporate information that must be secured in every way possible, right down to securing the device itself. This is a challenge, however, as most people, even many C-level executives, only regularly use one mobile device. This means that sensitive company information is mixed with less-secure personal information, risking security breaches.
App Store Security Threats
The same Arxan report also found that while device type does impact security, most apps contain significant vulnerabilities, and nearly 90% of all apps have vulnerabilities with two or more of the Open Web Application Security Project (OWASP) Top 10 Mobile Risks.
Apple requires you to undergo a strict audit of security checks to ensure all apps in the Apple App Store have at least basic levels of security. Apple takes its apps’ security very seriously and allows its individual users to determine the level of access each app has for themselves. For example, Apple’s HealthKit allows the individual user to determine which apps have access the personal health information, usually by prompting the user with a popup to confirm access for each app.
Android apps tend to have higher security risks than Apple apps due to Android’s wider range of device type/operating system combinations and Android’s more lax App Store requirements. Additionally, Android users can choose to download apps from “Unknown Sources”, which allows just about anyone to add apps that could cause security breaches to the App Store for download.
Jailbroken devices obviously cause even more of a security risk, but neither Android nor iOS devices need to be jailbroken to be vulnerable. All operating systems have faced security breaches, with both paid apps and free apps causing safety issues for users. 56% of Apple’s top 100 paid apps and 53% of its most popular free apps have seen security breaches. Comparatively, a full 100% of the top 100 paid apps and 73% of the most popular free apps in the Google Play store have been hacked in the past.
Cross-Device Security Threats
Mobile devices aren’t the only place secure information can be compromised. Many app stores allow mobile users to download apps from their desktop devices and add to their mobile devices, posing what is referred to as a “Cross-Over Threat.” For example, Windows devices have been vulnerable to a type of malware that exploits a user’s browser cookies, usually containing login credentials and personal information, and uses them to impersonate the user and install apps onto a device without the user’s knowledge. This is just one example of how cross-device functionality can present opportunities to hackers and security breaches.
It’s no surprise that with every new advancement in technology, improvements in malware and hacking methods are just around the corner. The “Internet of Things” (IoT) or ‘smart” devices continue to pop up in our homes, vehicles, jobs, just about anywhere where information could be collected to automate tasks. The purpose of IoT devices is always to be collecting user data and use that information to make ‘smart’ automation decisions. Similarly to Android’s security disadvantage of having a vast number of operating system + device types, many, if not most, IoT devices allow for connections to many other operating systems, making the actual security of these devices extremely difficult to control.
Many IoT devices don’t require any secure ‘login’ point, providing little to no protection from unauthorized access to the data being collected. Some IoT devices don’t even have a screen much less authorization security (such as smart coffee makers, smart mattresses, smart home lighting systems, etc.). Additionally, many IoT devices are still relatively new to the market, meaning security measures tend to be more reactive to data breaches and hacking rather than preventative. These factors pose difficult challenges in keeping stored user information secure.
To learn more about IoT devices vulnerabilities, read 2017 Study on Mobile and IoT Application Security, which was independently conducted by Ponemon Institute LLC.
With so many variations and security challenges, what is the best way to secure mobile apps?
Areas to Ensure Your App’s Code is Secure
Your app’s authentication is the method with which users ‘authenticate’ themselves, or log into your app. While it’s obvious that all applications should have at least some level of user authentication, 2-step authentication is recommended for optimal security. 2-step authentication requires exactly what you might expect; an initial password/passcode and a second form of authentication, usually confirming through the device itself via pop-ups or SMS-delivered passcodes.
“Data at rest” is user information that your app collects that is then is stored on the device when not in use. Any and all sensitive data on the device should be encrypted, with the encryption key also secured. Your mobile app should not store any user information that it doesn’t need, and temporary data should be deleted as soon as it is not in use. Whenever possible, you should attempt to design your apps in a way that does not require user information to be stored on the device.
“Data in Transfer” is user information that is both received to and transmitted from the user’s device. You should use an SSL certificate (https in URL) when sending information to and from your servers to ensure the most secure data from one trusted source.
Debugging and Updates
Since both helpful and malicious technologies are always advancing, new security breach methods are continuously being invented. Subjecting your app to regular, ongoing debugging and maintenance will not only allow you to protect your current app and users, but it will also ensure that your app stays secure for the foreseeable future.
You should look for weaknesses and vulnerabilities at every stage of development, and include a debugging phase for each stage. Hackers tend to work very quickly and target mobile apps that are not subjected to regular updates and maintenance. On a regular basis, you should walk through each stage of your app, screen each stage for weaknesses, harden them, then send out patches and updates.
Additionally, your app should require regular version checks to ensure that your app is up to date on the user’s device. This will help to ensure that any out of date patches and versions are not a risk to current versions and user data.
There are many tools available to help you scan your mobile apps, depending on the device(s) for which you are developing. Check out the full list of OWASP.org Vulnerability Scanning Tools here.
Securing the Device
As a developer, you are not able to fully control the security of a user’s device itself, especially if the device has been jail-broken or otherwise compromised. Using the most common jailbreak detection methods in your hardening phases of development can help you prevent breaches sensitive information. Jailbreak detection methods include file-based detection, API-based Detection, OpenSSH Service Detection, and Cyndia Scheme detection, and can alert you when a user’s device may have been compromised.
By securing the code and application environment within which an app is used, you can create a safe and secure mobile app for your users. What other security methods have you implemented in your app development? Share your thoughts on our social media channels!