Wednesday, January 9, 2019

Best-practice security standards for iOS apps & Android apps

The inconvenient truth about developing a mobile app today is that hackers will find and exploit vulnerabilities in your app to steal data, demand ransoms, ruin your reputation and even destroy your business.

The good news for you is that we know the most common vulnerabilities that hackers will target to compromise your mobile app. Because we know their methods of attack, your developers can code best-practice security mechanisms into your app to reduce the likelihood of a successful breach.

What are the common methods that hackers use to attack mobile apps?

In order of significance and interest to hackers, and therefore your mobile app development team:

  • Insecure user authorisation and authentication 
  • Weak server-side controls 
  • Lack of binary protections 
  • Insecure data storage on the device 
  • Ineffective data transport protection 
  • Unintended data leakage 
  • Execution of malicious code on the mobile device 
  • Exploitation of insecure parameters 
  • Insecure session handling 
The second inconvenient truth about mobile app security is that each of these security vulnerabilities can be reintroduced into the mobile app in any given release, despite not being present in earlier releases.

So you will understand why it is not enough to just trust your app developers to be vigilant every time they type new lines of code. You need to implement proper processes to ensure that the following security mechanisms are validated before new releases of your mobile app go live.

Global software security best-practice also dictates that all major releases of your mobile app that have significant additions to changes should also be penetration tested by a specialist mobile app penetration testing company.

Mobile App Security Tip 1: Use Token-Based Authentication To Access APIs

Many mobile apps use ineffective and insecure authentication methods. This leads to data leaks that allow hackers to discover sensitive user, transaction or app-related data.

Using tokens is the currently accepted global best practice to securely allow your mobile app to access APIs or other external resources. A precise tokenisation system is a critical cog in securing your mobile app.

Token-based authentication makes sure that the entity requesting the API call is authenticated fully and properly before any data is served.

Mobile App Security Tip 2: Use iOS & Android Keychain For Sensitive Data Storage

Both Apple & Google have recognised that insecure storage of sensitive data is a serious issue that keeps persisting. To make it easier for app developers to code secure apps, "Keychains" were created to give app developers a secure location to house sensitive data.

OS-based keychains are recognised as the most secure method currently available for sensitive mobile app data storage. Keychains are far safer than p-list files or NSUserDefaults.

The added benefit to using iOS and Android Keychains is that users can use universal login protocols already saved on their devices. This seamless authentication mechanism promotes a better user experience, which I'm guessing, is a major goal for you and your app development team.

Mobile App Security Tip 3: https Is No Longer A Nice-To-Have

All your apps communications must be over secure, encrypted transport protocols, like HTTPS. Encrypted connections require the use of strong SSL certificates.

Similar to websites and web apps that have SSL encryption, mobile apps and their backends that always use encrypted data transport mechanisms make it extremely difficult for hackers to interfere, compromise or steal any data.

A word of caution: while SSL certificates come in many price ranges, they are not all created equal. Be sure to check the underlying encryption standards to ensure that the SSL certificate you choose will ACTUALLY protect you and your users.

Be sure to check out free SSL certificate options as well - it might just be worth your investment of time!

Mobile App Security Tip 4: Use Fingerprint or FaceID Authentication...

...instead of usernames and passwords. Research shows that biometric authentication mechanisms may be up to 5 times more secure than username and password combinations. It makes sense then, that even banks allow us to use TouchID and Android's fingerprint authentication to login to our netbanking apps, right?

It costs you nothing extra to use this functionality that is already built into iOS and Android, but it will give your users an amazing amount of confidence in your mobile app and a more friction-less UX.

Mobile App Security Tip 5: Make Reverse Engineering Difficult For Hackers

Reverse engineering vulnerabilities are more relevant for Android apps than they are for iOS apps. Using reverse engineering on your mobile app, hackers can disable advertising, can even detach it from various verification services and may be able to reproduce special functionality that your developers could have spent many months building.

There are a few solutions to implement anti-reverse engineering attacks:

  1. Shrink, obfuscate and pre-verify code using a tool like ProGuard. 
  2. Move critical code to the server and serve it using APIs. 
  3. Write critical code in C/C++ instead of Java, because Java is easier to decompile. 
  4. Hide API keys. 
  5. Use SHA-2-compliant hashing algorithm. 
  6. Utilise database encryption. 
  7. Don't store information on external storage.

Mobile App Security Tip 6: Encrypt Data Stored On The Device

You might have picked up a common theme throughout our 6 tips: appropriate encryption can make it completely futile for a hacker to give your mobile app anything more than a passing glance. By encrypting the data stored on users' mobile devices by your mobile app, you will make it very difficult for hackers to access that data with any ease.

This is because the process of decrypting encrypted data is tedious and difficult, if not impossible at times. Successful decryption requires the hacker to find the right password and / or a secret key.

Unfortunately, I find that cybersecurity is an afterthought for most app developers. The real key to building a secure mobile app is to focus on security from the design phase, backed by a proper penetration testing program performed by a specialist penetration testing company, prior to release.

Download our Cheat Sheet For Building Unhackable Software to understand the security controls your apps must have before they're shipped into production. It could just save your product and your company from much embarrassment and even the loss of you and your team's livelihood.
SaaS Brief