Mobile App Security: It’s Important to Check Your Development
Smart phones and tablets have become increasingly popular in recent years, and, as a result, many individuals and organizations are developing mobile apps to make their product constantly available to users.
The growth in mobile app development and the types of information stored in and accessible to these apps have dramatically increased their profile as a target for hackers.
Any one of many simple errors that a developer can make potentially exposes the sensitive data or proprietary code of their app to attackers. This makes a security review of mobile apps crucial before deployment to ensure that an app is not an attacker’s way in to your network and sensitive data.
Potential Mobile App Vulnerabilities
When developing a mobile application, there are numerous ways to make a mistake. Many of these are benign or only affect functionality and will be discovered in the course of quality assurance testing. However, some flaws are more serious and can affect the security of the sensitive data being stored and processed within the application. This section describes some of the biggest mistakes that a mobile application developer can make with regard to data security.
Improper Data Handling
A common theme in data privacy regulations is that sensitive data should be encrypted. This comes down to two issues; determining what data should be considered sensitive and then properly storing and transmitting that data.
The first of these questions is typically answered by the data privacy regulations applicable based on industry and jurisdiction. For example, HIPAA specifies what health-related data should be protected within the United States, while the General Data Privacy Regulation (GDPR) provides general data privacy guidance for organizations who handle personal data of citizens of the European Union.
Properly protecting sensitive data involves encrypting it both at rest and in transit. Improper storage of data at rest can happen in several different ways. During development, data may be stored unencrypted in order to facilitate debugging and one or more storage locations may be overlooked when transitioning to encrypted storage. If data is stored encrypted, it may be encrypted improperly. The use of a weak encryption algorithm or misuse of a strong one may provide the data with no more protection than storing it unencrypted.
Encryption of data in transit is typically accomplished using the TLS protocol. Using an outdated version of TLS or incorrectly implementing one of the several steps of the TLS handshake or encryption operations may jeopardize the security of the protocol and leave the data essentially unencrypted in transit.
Poor User Identity Management
Another potential security risk in mobile app development is poor management of user identities. If users are required to authenticate with the app to access some or all of its functionality, it is vital that the authentication information be properly stored or handled throughout the entire lifecycle of the application’s usage. Otherwise, the potential exists for a malicious user to modify authentication information and masquerade as another user, granting them access to that user’s account and personal data.
The same principle applies to managing permissions with applications with multiple levels of user access. If an aspect of an app’s functionality requires elevated or specific permissions, the app should verify permissions before executing that functionality rather than relying on the assumption that access to that functionality could only be achieved if the user had the required permissions. Cracked applications allow users to follow unexpected code paths, which may lead them to privileged functionality from untrusted space.
Code quality, or lack thereof, is a major concern in mobile app development. Full access to applications allows users to reverse engineer or stress test apps to reveal flaws in the code. A thorough code review is essential for apps with access to sensitive data to ensure that the application cannot be cracked and modified in a way that reveals sensitive data or proprietary code.
One common shortcoming in app code quality is the failure to make proper use of built-in functionality and components of the host device. Both Android and Apple devices have built-in security controls and secure storage that is available to applications. Failure to properly use this functionality can decrease the security of a mobile application.
Another potential failure in code quality is the failure to check for code modifications both at the beginning of runtime and before executing sensitive code. Applications can be modified and recompiled before execution or run in a debugger, allowing real-time modifications. To protect sensitive data and proprietary code, checks should be performed before unpacking or executing sensitive code.
Unintended Data or Functionality
During development, it is often convenient to add comments or test code that aids in the debugging process. These are intended to be removed before release; however, this does not always occur. The existence of comments or dead code may be considered a low priority and ignored due to rapid development processes.
As a result, mobile applications may have unintended embedded data including login credentials, IP addresses and domain names, and other sensitive information. Using reverse engineering tools, a malicious user could take advantage of this embedded information.
The existence of dead code included for debugging purposes can be of use to a malicious user attempting to figure out the details of how an app functions. By modifying the code before execution or using a debugger, a user can achieve the same level of debugging output as a developer, increasing understanding and the probability that a vulnerability or sensitive data will be located. Removing extraneous information and functionality from code is vital to mobile app security.
Ensuring Mobile Application Security
Several standards and regulations dictate how user personal data must be stored and protected, making the potential cost of a data breach extremely high. A single oversight in the design or development of a mobile application could result in a violation with a high cost to your organization.
A fresh (expert) set of eyes is often essential to identifying erroneous assumptions or oversights in software development. Before releasing a mobile application with access to sensitive user data, take advantage of the expertise of a team with a background both in mobile application security and the requirements of important data privacy regulations and standards.
Sword & Shield offers expert third-party mobile app security assessment services. Following the OWASP Application Security Verification Standard, our certified GIAC Mobile Device Security Analysts apply their depth and breadth of information security and compliance knowledge to provide a detailed security analysis of your Android, iOS, or Windows phone- or tablet-based app.