lolloj - Fotolia
4 mobile app security threats all developers must face
Mobile apps carry their own set of code-based vulnerabilities and entry points, meaning developers need to step up their secure development, coding and deployment practices.
Mobile application development requires software teams to configure multitudes of communication and component layers in order to function properly. Unfortunately, each layer a developer adds to a mobile app increases the attack surface and opens new intrusion points. As such, development teams that do not properly secure each layer of their mobile apps and services risk compromising business-critical data, user safety and device control.
The important thing to remember is how many of these vulnerabilities reside in the application code itself. Whether an organization has a dedicated security team or not, developers play a crucial role when it comes to protecting these mobile applications -- not just in terms of patching them, but implementing strategies that actually monitor and proactively address potential threats.
This article will help developers understand more about their role in mobile security efforts by examining four of the most common -- but extremely dangerous -- mobile app security threats. We also examine the particular tooling, practices and coding standards that act as the remedies for each one of these threats.
Code injection
Code injection occurs when an attacker adds malicious code through a GUI, data connection point or other vector that provides access to application code. For example, consider if a login form field does not have any proper input validation, such as value restrictions. This presents an opportunity for a hacker to easily enter any character or even a JavaScript code snippet to compromise user data.
To prevent this, it's important to stick to the following guidelines:
- Adhere to strict coding guidelines that help eliminate potential mobile app security threats, such as proper separation between business and technical exceptions.
- Carefully identify input sources and apply proper input validation techniques, such as specified variable types, standard encoding schemes and targeted penetration testing.
- Ensure that it is difficult to reverse engineer code by using source code analysis tools like Quick Android Review Kit (QARK).
Client-side storage and data leakage
Mobile apps typically need to access -- or transfer -- data from outside sources, such as another application, which exposes user data. Developers often want to store data on the client side so an application can work even if it is offline. However, attackers can easily access, modify and manipulate the sensitive data that makes up the back end of an application. Additionally, if the device is stolen, hackers can retrieve sensitive data from the device's internal storage.
To mitigate these risks, adopt these data management tools and habits:
- Use automation and third-party static analysis tools such as OWASP Zed Attack Proxy (ZAP) to detect memory leaks.
- Identify particularly vulnerable mobile data sources, such as messaging logs, contact lists, browsing histories and hotspot connections.
- Keep mobile device operating systems updated, and enforce user policies around device use and secure app installation.
Poor identity management and cryptography
Inadequate authentication enables anonymous users to operate mobile apps and compromise the client, or even gain access to the underlying application systems through improperly secured admin accounts. Even if an attack manages to breach and decode a single application service that needlessly contains sensitive operational data, it easily opens a door to your entire app ecosystem. Improper or weak cryptography algorithms also allow attackers plenty of wiggle room to decrypt data.
Make sure your team follows strict coding practices such as the following:
- Keep up to date with modern cryptography algorithms and proper key management, such as RSA algorithm and Advanced Encryption Standard.
- Install safeguards such as token-based security, multifactor authentication, firewalls and session timeouts.
- Use the principle of least privilege, which states that particular application services should only have access to the data they need to operate.
Inadequate transport layer protection
The route used to transfer data between a server and the client is a critical area of concern, since data flows over both carrier networks and the internet. Attackers can use this juncture as an easy intrusion point to the data pipeline. Also, if that data is not properly protected by secure protocols, this data becomes ammunition for a direct attack on your system.
Here are some ways you can better secure these crossroads of application data:
- Become familiar with and carefully implement verified network traffic security protocols such as Secure Sockets Layer and Transport Layer Security.
- Consider if you need to implement a virtual private network mechanism that adds an extra layer of protection for mobile access.
- Perform regular threat modeling that identifies specific vulnerabilities associated with certain operating systems, mobile frameworks, device platforms and external APIs.
- Employ tools that detect vulnerabilities and also integrate application security testing with the development process, such as those provided by Veracode.