Mobile App Security: Common Issues and Solutions
According to the Check Point 2021 Cyber Security Report, 46% of companies have had at least one employee download a mobile application with severe security issues.
With that in mind, we’ve decided to look at some of the most common mobile app security threats, and secure best practices to follow when developing your own mobile application.
1. Improper Use of Development Platform
iOS and Android platforms each come with developer features and tools that provide standard security controls. One of the biggest vulnerabilities and threats in mobile applications comes from these tools being either misused, or ignored altogether.
If a developer creates an app without fully understanding the platform, their app is likely to have a number of security flaws. By knowing the tools and their security controls, developers will be well set up to follow mobile app security best practices.
Three examples of improper platform use include:
For both Android and iOS
Both platforms offer ways for developers to implement permission checks properly. Not doing so can leave an app especially vulnerable to being hacked.
iOS devices use keychain to store sensitive information, which can be exploited if not implemented properly.
Likewise, Android developers should use the Compatibility Test Suite to ensure compatibility among all the components of the application. Such incompatibilities often lead to security issues.
It’s also worth mentioning that whichever platform a developer is working on, knowing the common risks and solutions for mobile app security also involves threat modelling. Doing this lets the team map out the security issues for their application so that they know the weak points in the technical design. They can then take some time to learn the controls in the platform and figure out how to implement them.
2. Data Storage in Offline Apps
There are four main types of applications to develop: native apps; web applications; hybrids, which are a bit of both; and newer ones which are called progressive web applications (PWA).
Most mobile apps can work offline – especially progressive ones and native apps. There are plenty of use cases for mobile apps that allow this as it lets people work offline then reconnect at a later time to save or upload data.
The problem for a developer is they need to provide everything for the app to work, without a persistent online connection. Generally, on a client-server architecture, the user makes some requests in the app, and those go back to the server, which processes data and gives the user a result. Apps that work offline need to do all of that within the app, which can be one of the major vulnerabilities and threats in mobile applications. It means an attacker has the full codebase at their disposal, rather than the most security-critical code (covering things like authentication and authorisation) being on the server-side.
The same solutions apply for both online and offline apps, but it’s even more important for offline working. Common issues are to do with data storage on the app. For example, if an app user doesn’t have a password on their phone and they lose their phone, an attacker can then get into the database. There could be some authentication built-in, but if the data is not stored correctly there can be other ways around it. Storing credentials and other sensitive information properly in an encrypted database is essential.
3. Insecure Communication
Typical mobile app security best practices involve encrypting communication between the app and the server. This creates a secure channel that ensures no data is tampered with or intercepted in transit.
One of the typical vulnerabilities and threats in mobile applications comes from a developer overlooking an aspect of this data communication they see as unimportant and failing to encrypt it. Then it turns out in hindsight that it was important after all!
Ideally, all information communicated between app and server would be encrypted using proper algorithms and strong cyphers to ensure that encryption cannot be broken.
The solution is to implement industry-standard controls – often specified by the tools and systems mentioned in point one above. One example is not to rely solely on symmetric cryptography with hardcoded keys as the only method of encryption.
These industry standards are ever-evolving, and staying up to date with them is no small task. This is one big reason to work with a specialised software company such as ourselves.
4. Reverse Engineering
Another important mobile security threat and best practice to cover here is the danger of reverse engineering – and how to protect against it.
With mobile apps, a lot of the codebase is in the hands of the user. Attackers will use specific tools (for instance, IDA Pro) to unpick the code in an effort to learn how it works, and to figure out how to exploit some of these functionalities.
For instance, authentication systems are really a way of an app asking the user “are you are who you say you are?” If the user cannot supply the proper credentials, then they fail the authentication. If, however, an attacker can reverse engineer an app, they can bypass that, allowing them to say “yes I am” and unlock that part of the mobile app. That makes reverse engineering one of the biggest risks to mobile apps security.
There are several ways to address this. One is using obfuscation techniques on publicly available code to make it impossible for attackers to decipher. A lot of others depend on the platform used to create the app, since the tools used to reverse engineer a vulnerable app will be part of that ecosystem.
That, in effect, takes us back to the first point about knowing the platform and its tools. Developers who do will be in the best position to secure their apps against the significant security threat that reverse engineering poses.
5. Poor Quality Code
Quality code is always written with security in mind. Bad-quality code is more likely to create the optimal context for vulnerabilities to be exploited. In other words: the worse the code quality, the more potential vulnerabilities, and the easier for an attacker to access parts of the app they shouldn’t be able to.
Two examples of common risks and solutions for mobile app security regarding code quality include making sure that the app is properly signed with a valid security certificate, and releasing the app in release mode rather than debug mode.
The over-arching solution for code quality however is to implement secure coding practices as defined by OWASP, which was founded to help developers write secure code and is considered a highly-regarded industry standard.
Secure Apps Designed Around Your Needs
At DCSL GuideSmiths, we follow all of the mobile app security best practices mentioned above, including observing industry standard security guidelines for writing secure code.
If you need a secure mobile app designed for your business, visit our mobile app development page. For extra peace of mind and the best in application security, see our application security testing services page.
Not sure where to start with mobile app security best practices? Get in touch to talk through your needs.