Mobile App Security for Developers
In 2016, 69% of business departments reportedly used two to five mobile applications, and their employee use increased by 66% over the previous year.
Indeed, mobile platforms are increasingly becoming ubiquitous for businesses. They reflect their constant need to improve productivity and connectivity while saving costs. And like many budding platforms, it’s bound to create tremendous opportunities, especially for enterprise-focused developers.
But how does this affect how data is handled in the digital pipeline?
In June 2017 alone, over 1,000 Android and iOS enterprise apps were reported to have unsecure communication between the apps and their backend systems. Around 43 terabytes of data were exposed, with at least 39 affected apps leaking 280 million records of personally identifiable information (PII). A study in 2016 found that 90% of scanned healthcare and finance-related mobile apps had major security flaws.
These echo the Open Web Application Security Project’s (OWASP) latest list of the most prevalent mobile risks. These comprise superfluous functionalities as well as unsecure data storage and networks. There were also little to no authentication and cryptographic mechanisms in place to deter hackers from reverse engineering and repackaging/spoofing or modifying them.
These apps, for instance, secretly allowed access to device features like the camera or voice recorder, as well as PII like photos, contacts, messages, calendar, location, and browsing history. Obviously, there are significant repercussions when they fall into cybercriminal hands.
Privacy is also at the forefront of mobile app use regardless if it’s a business protecting its corporate data or an end user safeguarding their personal information. These highlight the need for thorough scrutiny into their security to mitigate the misuse of data or prevent malware infection. Recent incidents in Uber, Brightest Flashlight, Path, and Kim Kardashian: Hollywood mobile apps, as well as Xiaomi’s smartphone, are a case in point.
[READ: Secure serverless applications]
The mobile ecosystem is indeed increasingly blurring the line between personal and professional use, what with the adoption of Bring Your Own Device (BYOD) where apps use the same network and access the same data. Despite all these challenges, there are a few things mobile app developers can do to provide corporate resources without compromising the business’s security and privacy.
So what can mobile app developers do?
Enforce the principle of least privilege
Limit the permissions requested to only the necessary information or device components required for your app to function. Exploits and malware leverage the user’s elevated privileges. Mobile devices are no different. Understanding the data you collect gives you the context to define your app’s trust boundary. Ensure that your application programming interface (API) implements this principle in its workflow.
[Trend Micro White Paper: Fake Apps: Feigning Legitimacy]
Implement robust authorization and multi-factor authentication
Flaws in an app's authentication and authorization are common vectors for mobile threats. These enable hackers to impersonate other users via man-in-the-middle attacks, or access the device or the app's functionalities (bypassing PIN codes, injecting malicious code in the app, etc.). These are the bane of online banking apps, for instance, given the profit that can be made from gaining access to an end user’s bank account and stealing financial records. Developers should secure functions like verifying an employee’s user identity or determining what resources a consumer can access or execute within the app.
Implement strong authentication patterns. If you’re already using authentication protocols like OAuth, migrate to the latest standards. OAuth 2.0, for instance, provides single sign-on and third-party authorization without sharing sensitive credentials. Facebook, Microsoft, and Google use OAuth 2.0 for their APIs. For developers whose consumer apps offer in-app purchases, follow Android or Apple’s guidelines. iOS has one for validating receipts with the App Store, for instance.
Ensure that your apps enforce multi-factor authentication. Consider implementing Fast Identity Online (FIDO), an industry specification that securely stores PII in the local device—from biometric data (e.g., fingerprint) and passwords to tokens. FIDO also helps reduce the work developers have to allocate for creating multiple secure login interfaces, which can be challenging if clients run different operating systems (OSes).
Also: build a secure API. It's the lifeblood that underpins the core functions of your app and how data is stored. APIs are also the framework used for accessing backend services and various other applications for users, all of which entail authentication and authorization.
[READ: Using and Securing BYOD Devices]
Impose access policies
Many businesses already have policies for platforms such as those that manage remote access like virtual private network (VPN), firewalls, network, databases, and servers. These reduce the machine’s attack surface. Mobile app developers should also take this into account, especially those involved in homegrown enterprise apps.
Ensure that the libraries and frameworks accessed by the app are secure. Contextual data, e.g., location, time of day, histories or previous transactions, etc., can be used to create authorization/access policies. Ultimately, the app you create should align with corporate policies applied by the organization’s IT/system administrators, or Google Play and Apple’s App Store.
Strengthen your encryption
Adopt best practices and follow industry standards when encrypting your apps (or strengthen the API’s encryption if they already have one). Weakly protected apps are easily spoofed, and attackers can use these repackaged apps to infect devices with malware. There are many code obfuscation and minification tools available to Android app developers, while multi-pass checks and malformed Mach-O binaries are just some that iOS developers can employ. Developers should also implement validation of client code signatures, which prevents sensitive information from leaking.
Developers can also integrate a VPN to further secure the app’s network connections. Consider stacking your application layer protocols with Secure Sockets Layer (SSL) and Transport Layer Security (TLS). There’s also Hyper Text Transfer Protocol Secure (HTTPS) that runs on top of SSL and wraps data into SSL packets.
Apps developed for accessing corporate network and databases (especially via BYOD devices) can also benefit from application containerization, where apps are deployed in a contained environment, like in virtual machines. It prevents the app from interacting with the device’s other (and personal) data and apps.
Conduct regular security testing and vetting
Security flaws are the bread and butter for many mobile threats, which is why regularly testing your app’s source code against vulnerabilities, like input validation issues, is critical. The app should accordingly be agile—easy to patch and update.
There are many tools at the developer’s disposal, such as Trend Micro’s Mobile App Reputation Service, which scans the app for security and resource consumption. OWASP’s list of top mobile risks is a good starting point to check for issues within your app.
Identify the nuances of the platforms you’re creating the app for and take their respective attack surfaces into account. Mapping the components and their interdependence with each other, for instance, can provide developers an overview of data that may be potentially exposed (or stolen). The app’s runtime, binary, and file system should also be further analyzed to check for possible network and client-side attack vectors.
Vetting mobile apps also helps businesses by assessing the apps before they are released to marketplaces like Google Play and Apple’s App Store, and in turn downloaded and installed.
[Trend Micro CTO Insights: Mobile app developers should compete on privacy and security, too]
Security by design
Developers who want to capitalize on the thriving mobile app development industry must go beyond an application’s functionality and ease of use. Privacy and security must also be its selling points—from app specification, coding, testing, and implementation to deployment.
After all, developers are ultimately responsible for maintaining the integrity of their apps throughout their lifecycle. Beyond regular compliance, developers also need to consider the potential risks involved with using their applications, such as the nature of data stored and the users who can access them. Apps that use and share information across the businesses, as well as integrate them to other platforms like social media, should be vetted to ensure they conform to the latest security standards.
Trend Micro™ Mobile Security for Enterprise provide device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent website.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale