COMMON MOBILE APP SECURITY THREATS AND HOW TO MITIGATE THEM
Can you definitely say, is your app secure? Will all the built-up infrastructure provide safety for all the confidential data your app stores? Your developers implemented all the standard security measures. Great! What kind of threats those standard measures should protect your app from? And what additional protection do you need to consider implementing? Let’s take a look at this tricky question.
Classification of security threats
Cyber threats could originate from various sources. You’ll never know who, when, and why will decide to attack your app. Maybe some bored hacker in search of easy money, or maybe some ruthless Russian hacker gang in search of personal data of your users. But most of the time some particular parts of your infrastructure are being attacked. So, we can divide the common cyber threats by the target they use to break in. There are two main big groups — technological and sociological threats.
The sociological type of threat is a huge field for research. Scams, phishing, social engineering, various types of deceit, and ways to get personal data or other valuables through the flaws of human nature. Your system could have the most proficient security measures, but your employees still are only humans. Without proper training and corporate confidentiality procedures, instructions, and NDAs, your system could be vulnerable, just because one of your workers used an unsecured public WI-FI with his/her laptop.
Human is a weak part of any system. Like in cars — you could have the most tuned car, but if the driver seriously fails, the car will be smashed. That’s why cheating employees of the target company to get access to databases, backend, servers with phishing emails, fake websites, and some in-live deceptions is one of the most common types of cyber crimes. As it was said — this is a huge topic, and we won’t concentrate on it right now. Instead, let’s consider technical threats in detail.
Technological threats
Insecure Connection
It’s often easier to rob a money collector, than a bank. Same with the information — obvious vulnerability is the connection and transition stage. Usually, in mobile apps, data is transferred in a client-server fashion through the internet. And if this connection happens through an unprotected network, intruders might use that breach to intercept information or user data. It could be done with some malware, pre-uploaded on a mobile device (through a jailbroken app for example) or on a network device; or through a compromised local network.
How to prevent intrusions through insecure connection?
Standard security measures won’t make your app entirely secure. If someone wants to steal your data, it can be done. The main thing is that if the data is encrypted, then it would be useless to intruders. Avoid using any unencrypted connection in your system. Use industry-standard cipher suites with appropriate key lengths, and certificates signed by a trusted provider. TLS/SSL should be implemented not only for authentication but also on the transport channels that the app uses to transmit sensitive data. Apply an additional layer of encryption to all confidential data for transportation through the SSL channel, so even if it’s compromised, the additional protection will be a secondary defense.
Bad input validation
Input validation is the procedure of checking everything the user enters into the application to ensure data is formatted properly and prevent harmful code from getting in and triggering malfunction in the app. Without proper validation, attackers could add some malicious code and gain access to databases of your app, and all the confidential data. The validation isn’t a primary measure of defense against intruders, but it will filter the malicious data if set properly.
How do avoid weak input validation?
Use a number of programming techniques that can enforce data correctness. Set a strict value range check for dates and numbers, with a check of strings length. Set up input validation against XML Schema and JSON Scheme.
Also, except for setting up validation on the frontend with JS, apply the proper validation on the backend. Because the intruders could outflank the frontend restrictions and try to input data directly to the server. The main strategy of good input validation should be not constant filtering definitely bad data, but strictly defining and allowing only the range of definitely good data. Set up the correct patterns for all types of input data (like credit card numbers, emails, phone numbers, etc.).
Insecure Data Storage
This is one of the most significant app vulnerabilities, that can occur. Speaking of apps, your data is your main property. If the intruders could get access to the data storage of your app, they could modify your app to extract any of your data. Such a breach could lead to severe financial losses due to personal data theft, theft of intellectual property, etc. But there is a difference between breaking into the local storage of your app on the device or your main data storage on the server. It is necessary to take into account that attackers have multiple options for which way to break into your data storage.
How to prevent data storage insecurities?
First and foremost, corporate security policies. Your company should have a strictly verified data storage security policy for each level and demand the rigorous execution of procedures.
Introduce strict accounting of your data. You should know what data you have (not literally by each file, of course, but by the type and amounts of data). Then, you should introduce a proper classification of your data. Thus, you will know exactly where and what type of data is stored, which sections of your storage you have to defend with more effort, and which could be protected with basic encryption. For example, personal data of your users, financial information, and messaging (if present) must be attributed to the most sensitive type of data. Engage proper encryption and permission policies for the local data of your app, to keep the important data, located on the user’s device, secure.
Enforce additional security mechanisms for access to your management interfaces. Multifactor authentication for all administrators of your app, an isolated network for those, who work with management interfaces
Data Loss Prevention (DLP) — one of the strongest data security solutions. DLP software monitors and identifies all the actions with your data and can prevent unauthorized transit. Basically, DLP is data police.
Code security
Vulnerabilities of your app’s code are a part of the human factor in your app security regulations. Every programmer could make a mistake, more significant is to identify that mistake and fix it before code will be added to the product. But manual code reviewing is a huge time-consumer.
How to keep bad code off your app?
It’s best, when all programmers, involved in the development of your app, follow the same secure coding practices. This involves strict corporate regulations and management of your IT department. But, it doesn’t threaten you, if you are dealing with a third-party agency for developing and maintaining your app. It’s their job — to provide flawless code, use external platforms for testing software before deploying it in the final product, set up the additional software for code reviews, etc. If you need professional code security, let it be written by professionals. If the app is only a part of your business, an additional feature for your clients’ convenience, it’s cheaper to delegate the development of an app to the specialists’ team.
By the way, if you want to learn how much does it cost to develop an app from the scratch — this article will help
Insufficient Authentication
Poor authentication and authorization controls are like old rusty barn locks. It will secure your belongings only from intruders with bare hands. If they have at least a hammer, they could open such a lock with not much effort. Login and password were not enough a long time ago. Such a flaw allows intruders to easily steal the account of your user, using social engineering or phishing emails. What is worse, if those who have admin-level of permissions in your app will be attacked, then the intruders will gain access to the backend of your app and could do anything.
How to prevent authentication vulnerabilities?
- The minimum safety measure is Two-Factor Authentication (with email or phone number).
- Set up a strictly limited list of permissions for admins and managers.
- Use one-time passwords and time-limited sections.
Poor Encryption
Imagine you encrypted a message and then forgot a decryption key. Eventually, data is lost. You can try to pick the right key, spending hours. In the computer’s encryption algorithm everything is thousands of times more complicated, but software can break the code thousands of times faster than humans can. As a result, weakly encrypted data could be decrypted in hours. Intruders can get access to your seems protected data, including confidential information. And even if you use the most advanced encryption, you have to store the decryption keys somewhere. This storage could be compromised, damaged, stolen, or accidentally erased. And the attackers won’t go for encrypted data, they will spend too much time and resources breaking it. They will go for the keys to get everything at once if succeeded.
How to avoid the negative consequences of poor encryption?
- Use only modern encryption algorithms and encrypted APIs for mobile platforms.
- Implement encryption in layers, and create multi-level protection, so if one layer will be broken or decrypted, there will be more to break.
- Engage strict permissions and rules of access to decryption keys.
Reverse Engineering
If the potential intruder can see your code, he/she can analyze how your app functions on the backend and figure out how to attack it in the best way. Most software products are made by the template, hence the structure of a substantial part of code could be predicted, altered, and used against the app itself.
How to prevent reverse engineering?
Limit the possibility of observing the source code from the client-side and all the unnecessary functionality. Users should be allowed to interact only with functions, created for them, not more. And any code, that could be observed by the user, should be obfuscated — altered to be harder to read and understand without changing the functionality.
Low update frequency
Each update of the operating system of devices your app work on could change the result of your code’s work and open some new vulnerabilities and breaches in the protection system due to incompatibility. Your app should be constantly adjusted to the current version of the device’s software. The obvious solution is to keep updating and maintaining your app if you want to keep secure and profitable.
Read our previous article to know how much does it cost to maintain and tech support your app
Most common modern security measures and techniques
Above, we listed a number of solutions that should be implemented from the start of the development process to provide a sufficient level of security for your app. Along with them, there are several common methods of regular security checking of the mobile apps, software infrastructure, and the company cybersecurity in general.
We will review these methods in detail in our next article, but now we will describe them briefly. Notionally, there are 3 concepts of challenging the security infrastructure: security test, security assessment, and security audit.
A test, (penetration test, for example) is checking the specific system’s performance and looking for open breaches. Or a pen test, when “white hats” try to break into the system intentionally, to simulate the attack and to see, what is accessible to the intruder.
A security assessment is a comparison of the ideal state of the system (how it’s planned to work) and the current operational state. Comparison of system’s reactions and responses in presence of vulnerability and without.
A security audit is a separate concept and differs from tests and assessments. It’s more global and includes checking the whole organization’s security system, policies, and rules implementation. Companies can conduct audits themselves or hire a separate company. Now, we are talking about security audits of IT companies, but it’s available for any kind of company of any industry because in the modern digitalized world cybersecurity rules are acceptable for almost every business.
Conclusion
The mobile app, like any other software, is a complex system, which requires constant attention to security processes. If you are doing business and your app earns money, there always will be a reason to attack you. Maybe for money, for extortion, to steal the personal data of your users. Perhaps, dishonest competitors want to bring you down. And as you see above, there are plenty of ways to do that. If to look from this point of view, your app is never secure. But, you can make your app disadvantageous to break in. Because your protection will take too much time and resources to hack in. The solution is simple:
- set up all the business and development processes according to the security rules from the start;
- meet all the current security standards for 100% and a bit more;
- do not neglect security checking — inscribe it into your budget as a mandatory expense;
- monitor the system status and keep an eye on any suspicious activity.
Code Harbor could help you not only to conduct a skilled security check on your existing app but also arrange the whole process of development, maintenance, and security of your project. If you have any ideas or issues on your mind — visit our website, set up a call for a free consultation, and let’s discuss!
