APP SECURITY: TOP 10 RISKS AND HOW TO DEAL WITH THEM
According to the 2016 State of Application Security report, 90% of 126 tested apps had at least two critical security vulnerabilities. So if you thought mobile security isn’t a particularly pressing concern these days, now you see why you could be making a huge mistake. Check why app security is currently an extremely important issue, what dangers developers should take into account while creating a mobile app and how to prevent such crises.
WHY SHOULD YOU CARE ABOUT APP SECURITY?
App security is today a top concern in mobile. And with good reason – recent study from the Ponemon Institute on expenses involved in data breach issues revealed that the average organizational cost of a data breach incident in 2015 was a smashing $3.8 million.
What’s more, money is not the only price you pay for security issues in your mobile product. You’ll also lose the trust users placed in your app, compromising the strength and credibility of your brand.
So what to do to prevent such situations? Here are 10 top app security risks together with bulletproof tips to help you mitigate them and develop a reliable mobile product that offers a great user experience and keeps user data safe.
1. DATA STORAGE VULNERABILITIES
Mobile devices store short-term information for as long as possible. Caching this data is their passport to increasing speed. And we all know that users hate lagging apps, so caching is inevitable.
However, this type of data storage makes mobile devices more susceptible to security breaches as cached information is relatively easy to access.
What type of data we’re talking about? Here are some of the most common pieces of data stored on mobile devices:
- Authentication tokens
- Location data
- Personal data (address, credit card data)
- Application data (application logs, cached app messages, transaction histories)
One way to ensure greater security of data stored in your app is to require a password. However, you have to bear in mind that users don’t like passwords, so think twice whether implementing this solution will actually be better for your enterprise or discourage users.
Another strategy to mitigate data caching risks is to program the cache to be wiped automatically every time the mobile device reboots.
2. LACK OF SUFFICIENT TRANSPORT LAYER PROTECTION
Mobile apps usually exchange data in a client-server fashion. You can only imagine that in case of insecure apps, third parties will be able to see that data which is traveling across the carrier network and the Internet.
These malevolent third parties are commonly called threat agents. They can be users who are local to your network due to a compromised or monitored WiFi. A potential threat agent can also be the carrier or network device – anything from proxys to cell towers and routers. A different type of threat agent is malware that has been installed on the user’s phone prior to the app in question, too.
The best way to protect the users of your app against this threat is to take extra care about the coding quality. Remember to add a transport layer protection to make the data journey as secure as possible.
3. NO SECURITY TESTING
When you’re rushing to release your app, security might not be your top concern. But it’s not smart to release a product without having it properly tested for data breach threats first.
When testing your app, make sure to check every inlet for security. This include sensors, camera, GPS, or the platform itself. Your app can’t be completely safe from malware or viruses, but testing allows to spot the potential weak points in your app.
A word of warning – never let your users see your crash and debug logs. They’re full of information that helps hackers to pinpoint potential vulnerabilities of your app.
Remember that the Android debug log is cleared when a device is rebooted, but your app is vulnerable until that moment.
If you’re developing an app for iOS, make sure your developers disable the NSLog statements – this step will boost the speed of your app as well.
4. WEAK ENCRYPTION
If you think an encryption algorithm is bulletproof, you’re making a huge mistake. Technology is constantly evolving, and older encryption algorithms become easy to crack.
By not paying enough attention to the encryption technologies used in your app or deciding not to use them at all, you’re asking for trouble.
If your app requires users to input sensitive data such as personal identification or credit card information, you simply need excellent encryption.
5. INSECURE COMMUNICATION WITH SERVERS
If your app handles sensitive information, it will be accessing particular servers. You need to ensure that these have strong security measure in place to prevent unauthorized users from accessing data stored on them.
Whether you’re storing app data on your own servers, or servers of a third-party system, you need to make them secure with SSL certificates and encryption.
6. POOR AUTHENTICATION/AUTHORISATION MEASURES
Both the app and the systems to which it connects should be protected with proper authorization and authentication measures.
That’s how you make sure that all users, devices and systems are authorized to transmit data to the app. Unauthorized users, devices, and scripts will be identified and blocked.
7. HANDLING OF UNTRUSTED INPUTS
If you believe that inputs such as environment variables, cookies, or hidden form fields can’t be modified, you’re putting your app at risk. A hacker can change these inputs with customized clients.
If you make any authentication or authorization decisions on the basis of this input, the app’s security will be compromised.
You can deal with this risk using good encryption, integrity checking, and other mechanisms that will pinpoint inputs coming from the outside.
8. SIDE CHANNEL DATA LEAKS
You need to prepare your app for a side channel attack as well. It’s an attack based on the data from the physical implementation of an encryption system. It’s directed at weaknesses in your encrypting algorithms.
That’s why you should ensure that it’s not easy to monitor the movement of data in your app. Hackers watching how your data moves, or when and where it’s transmitted will be able to identify and exploit security holes in your encryption.
9. RISK OF CLIENT SIDE INJECTION
If you’re developing an Android app, you should remember that your app will be downloaded and run client side, which means that its code will reside on the device of its user.
And since any source of data can be a point of injection, you risk that a hacker performs an SQL Injection on the client device. Ensure that developers follow platform-specific practices to mitigate this risk.
10. BAD MANAGEMENT OF SENSITIVE INFORMATION
If your app gets hacked, your own data might be at risk as well. It can be easily used by hackers to mine other systems for access to accounts, credit card data, usernames, passwords, and others.
Scan your data for vulnerability caused by breaches to keep a close eye on this risk.
EXTRA TIP: HOW TO PROTECT YOUR APP AGAINST PHYSICAL SECURITY BREACHES?
You can’t prevent a mobile device from being stolen or lost.
What you can do is implement a local session timeout code which will require users to periodically enter a password to access the app. It doesn’t have to be daily – it can be weekly, or every five times they use your app.
The above list of top app security risks should be enough to convince you that app security is a serious issue. And the more popular your app gets, the more susceptible it will become to hackers.
To prevent those risks, when developing your app, make sure to cover all these vulnerability points and build a product which guarantees high security of user data.
Following these tips, you’ll be on your way to delivering an app which offers a fantastic and secure experience.