Wednesday, February 8, 2023

12 mobile application security best practices for iOS & Android developers

Your users' mobile devices store a lot of personal and very sensitive information that your users would never want compromised, and this is why it is important on so many levels that your app doesn't provide a pathway for hackers to compromise your users' device.

The common misconception is that mobile app security is a only a concern for B2C companies. While B2C companies also have to be mindful of their mobile app security issues, B2B SaaS companies have the most to lose by having vulnerable or non-existent mobile security measures.

Why? Well, none of your customers want the headache of having to compensate their users because your mobile app security was less than perfect. Right?

Thankfully, by following global mobile app security best practices your development team can find and fix security flaws before they become a massive headache.

Table Of Contents

    Why is mobile app security important?

    On a personal, human-to-human level ensuring the security of mobile apps helps to protect users' privacy and security, and maintain the integrity of the information processed on mobile devices.

    Want my team to show you how to put a scaleable mobile app security structure in place?

    But as a mobile app developer you have to focus on mobile application security for several reasons:

    1. Legal obligations: App developers may have legal obligations to protect the personal data they collect and process through their app, failure to do so can result in penalties and lawsuits.

    2. Reputation damage: Insecure apps can suffer from data breaches and security incidents that damage the reputation of the developer and their brand.

    3. User trust: A secure app enhances user trust and increases the likelihood of users using and recommending the app.

    4. Financial losses: Security incidents can result in financial losses for both the developer and the app users.

    5. App store policies: Many app stores have security requirements for apps and may remove apps that are not secure or that pose a threat to users.

    By prioritizing mobile app security and following "secure by design" principles, your development can build a secure, trustworthy app that instils confidence in your users and helps them to trust you faster.


    By focusing on mobile application security, B2B companies like yours can increase their competitiveness, meet regulatory requirements, and build trust with customers, all of which have been proven to help increase sales and revenue.

    What are common mobile app vulnerabilities?

    By being aware of these common mobile app vulnerabilities and implementing appropriate security measures, your developers can help ensure the security of your mobile apps to protect the privacy and information of your users.

    This is not an exhaustive list of mobile app vulnerabilities but these are the vulnerabilities that we see most commonly in our mobile application security testing services:

    1. Insecure data storage: storing sensitive data, such as passwords, in plaintext or in easily accessible locations on the device can make it vulnerable to theft or misuse.

    2. Insufficient authentication and authorization: these issues can result in unauthorized access to sensitive data and functionality.

    3. Injection attacks: allowing untrusted data to be used in dynamic database or network queries can result in injection attacks, such as SQL injection.

    4. Unvalidated input: these can result in security vulnerabilities, such as buffer overflows, remote code execution or even complete access to your entire backend.

    5. Broken cryptography: using weak encryption algorithms or implementing encryption improperly can result in the exposure of sensitive information.

    6. Side-channel attacks: these can include timing attacks or power analysis, can result in the exposure of encryption keys or other sensitive information.

    Want my team to show you how to put a strong mobile app security structure in place?

    How to secure mobile apps

    Security is a key issue in business and this concern exists for mobile applications, particularly when they are part of a B2B SaaS solution.

    It's imperative that you, as a mobile app development leader, don't implement security measures, there could be a major problem for your brand and reputation if your mobile app, backend web app or APIs suffer a data breach.

    Of course, there are a number of different security-related activities you can undertake to enhance your mobile app security. But I think it's just as important to know what you shouldn't do:

    1. Do not rely on one-off, annual mobile app penetration testing services with no other activities along the way to ensure security.

    2. Don't rely on security testing best practices designed for web apps and assume your mobile apps will also be secured.

    3. Don't fall for "foolproof security" solutions, because they don't exist. Remember, mobile application security, like application security in general, is a matter of minimising the damage when you're breached, rather than necessarily aiming for zero breaches.

    4. Don't assume that your users are well educated and conscious of mobile application security issues when using your solution.

    5. Don't solely rely on external pen testing as a service partners to secure applications - take responsibility and shift left with mobile application security. Align it to your continuous improvement efforts across your software development processes.

    Now that we've got the "don'ts" out of the way, let's focus on what you actually can do to protect your mobile users.

    Want my team to review your current mobile app security controls?

    What are the security best practices to protect mobile applications?

    Remember, these security measures are just a minimum guide. Depending on your industry or the nature of data security standards imposed on you by legislation or your customer base, you may need to go over and above these security measures.

    Optimise Data Caching

    Here are some tips for optimizing data caching in mobile app development to protect data and prevent data leaks:

    1. Choose the right caching strategy: this should be decided based on the data being cached and the requirements of the app. For example, if the data is frequently changing, a cache-aside strategy may be appropriate, whereas if the data is static and rarely changing, a write-through strategy may be more suitable.

    2. Use appropriate cache storage: based on the amount and type of data being cached. Your options can include in-memory caches, file-based caches, and database-based caches.

    3. Store data in the cache wisely: Store only the most frequently accessed data in the cache and remove any data that is no longer needed. This can help ensure that the cache is always up-to-date and that the app uses limited device storage.

    4. Use cache eviction policies: to manage the size of the cache and determine what data to remove when space is limited. This can help ensure that the cache remains efficient and effective.

    5. Use appropriate cache expiration times: to ensure that stale data is not served to the user. A well-tuned expiration time can improve the user experience and reduce the amount of network traffic.

    6. Monitor and analyze cache performance: do this regularly to identify areas for improvement and optimize the cache over time. This can help ensure that the cache remains efficient and effective in meeting the needs of the application and its users.

    Implement end-to-end data encryption

    This is a no-brainer and one of the first items to be listed in any mobile app security checklist, yet also one of the most under-utilized security measures that we see in our mobile application penetration testing services.

    Mobile application security best practices

    There are plenty of open source frameworks for both Android and iOS that will allow your developers to build end-to-end encryption:

    1. Choose a suitable encryption algorithm: choose a suitable encryption algorithm, such as AES, that is widely used, secure, and supported on iOS.

    2. Generate encryption keys, such as symmetric keys, for encrypting and decrypting data. Store the keys securely on the device, for example, using the Keychain.

    3. Encrypt data before sending it over the network or storing it on the device. This can be done using the encryption keys generated in step 2.

    4. Decrypt data on the receiving end: on the receiving end, decrypt the data using the same encryption keys. This can be done before processing or storing the data.

    5. Protect encryption keys: this can be done by using secure storage mechanisms, such as the Keychain on iOS, and by implementing access controls, such as password protection at the very least, or more appropriately, biometric authentication.

    Apple makes it super simple for iOS app developers to implement end-to-end encryption using CloudKit. Android has many mechanisms to help you encrypt everything, the best place to start is this site.

    Would it help you to see why leading SaaS teams trust our mobile app pentesting services?

    Use strong authentication mechanisms

    Gone are the days that you can rely on a simple form-based username and password authentication mechanism and expect to keep your mobile users secure.

    Think about implementing some or all of these app security best practices in your authentication system:

    1. Choose an authentication method that fits the needs of your app, such as password-based authentication, biometric authentication, or two-factor authentication.

    2. Implement secure password management, such as hashing and salting passwords before storing them, and using a slow hashing algorithm, such as bcrypt.

    3. Use secure communication channels, such as SSL or TLS 1.2 and above, to transmit authentication data and protect it from interception or tampering.

    4. Implement robust session management, such as using secure session tokens and invalidating sessions after a set time period or upon logout.

    5. Implement multi-factor authentication to provide an extra layer of security. This can include a combination of passwords, biometric authentication, and one-time passwords or security tokens.

    6. Keep authentication information secure: store authentication information securely, such as using secure storage mechanisms, such as the Keychain on iOS, or encrypted databases.

    Manage user sessions conservatively

    The extent of your conservatism will differ based on the industry or types of users your app serves. For example, internet banking apps or similar apps that deal with confidential data should have short timeout periods - usually in minutes.

    Other apps that do not deal with sensitive data can have session legths of several hours.

    Needless to say, new session identifiers should be generated each time a user is logged out and reauthenticates to access the app's confidential data again.

    Be careful about storing data on the device

    Why? Because, you have to assume that your app's users are rather careless about the security controls they actually use on their mobile devices:

    Mobile app security for iOS & Android

    This not only protects your SaaS company, but also, your users during instances of device theft or compromise. Remember, "sensitive data" is a very subjective topic, so it pays to treat any data that you ask from your users as sensitive in nature.

    Many data storage security controls for mobile applications were covered in the caching section above, but here are some clarifications:

    1. Encrypt all data; including data in transit and data at rest. Make few, if any, exceptions to this rule.

    2. Eliminate data retrieval backdoors that your teams may "need" to help them test or debug your mobile applications.

    3. Use secure storage mechanisms, such as the iOS Keychain or Android KeyStore, to store sensitive data. These mechanisms provide additional security features, such as encryption and secure key generation.

    4. Minimize data storage: Minimize the amount of data stored on the device and remove data that is no longer needed.

    Want to see how you can scan your APIs for vulnerabilities with 0 clicks?

    Securely utilise in-built platform functions

    Both Android and iOS give you cutting edge and freely available security functionality. Before you build your own workaround or use an open source framework, it will pay dividends to conduct research into whether there is a platform function that will already enable what you need to achieve.

    Sanitise and escape all user inputs

    Sanitizing and escaping user inputs into your app is important because it helps to prevent critical vulnerabilities such as:

    1. Cross-site scripting (XSS).

    2. SQL injection.

    3. Buffer overflow.

    To securely escape user inputs into your app you can do these things:

    • Use built-in functions, such as this for Swift:

      addingPercentEncoding(withAllowedCharacters:) 
    • Android has two native functions for escaping inputs coming from a user's device:

      Html.escapeHtml()

      and

      TextUtils.htmlEncode 

      Which one you use will depend on your specific use case.

    • Use a third-party library: such as OWASP ESAPI for Swift, to help with input validation and sanitization. This library provides a comprehensive set of security controls, including input validation and escaping functions.

    • Manually escape inputs: this can be done by replacing special characters, such as "<" and ">" with their corresponding HTML escape sequences.

    Perform static application security testing to find & fix vulnerable code

    Static scanning is the process of using a code scanning tool to read your codebase line-by-line to find known vulnerable source code or frameworks.

    Just be aware that static vulnerability scanning alone will not be enough to help your developers find and fix vulnerabilities in your mobile apps. You will also need a DAST scanner.

    Execute dynamic analysis or API vulnerability scanning

    Whether you have an internal security team or not, you can run your internal vulnerability assessments. In fact, if you're not doing so already, your organisation in is in the minority:

    Mobile application security vulnerability assessment

    DAST or dynamic vulnerability scanning tools won't be useful for scanning your mobile apps. However, it will be very useful in scanning your web backend and your APIs.

    Ideally, you want a vulnerability scanning tool that allows your developers to find and fix their own security issues, even before you conduct a round of mobile application security testing.

    This combined structure of dynamic and static vulnerability scanning will maximise the probability of hidden and difficult-to-find high risk vulnerabilities being discovered during manual mobile application security testing services.

    Want to see how a developer-friendly vulnerability scanner can help your devs find & fix vulnerabilities fast?

    Lock down backend servers

    This is often misunderstood by developers of mobile apps. Just because your backend IPs or URLs are not shared doesn't mean they can't be very quickly discovered.

    Conducting dynamic vulnerability scanning in particular will help you achieve this security recommendation.

    Lock down your cloud platform infrastructure

    This is another app security recommendation that makes CTOs sit and go, "sorry, come again?!"

    Leaving even a single security flaw in your cloud platform account will help hackers use it to attack you and your customers.

    Whether you use terraform to manage your infrastructure or you manage it all manually, you ideally need to perform CIS benchmarking to lock down your cloud platform.

    This can be done via an automated tool like Cyber Chief's Raider cloud platform infrastructure scanning tool. Or it can also be done via cloud platform penetration testing services.

    At the very least you should start with these free AWS security best practices.

    Perform regular, manual mobile application security testing

    I've touched on this a number of times in these recommendations. But essentially, the best mobile application security testing services are performed on Android and iOS mobile devices that are particularly designed to test for critical vulnerabilities like:

    • Local file system vulnerabilities.

    • Compromised third party libraries.

    • Poor coding practices that allow attackers to inject malicious code.

    • Operating system-related vulnerabilities.

    • Code signing issues.

    • Remote wiping issues.

    • Reverse engineering issues.

    Depending on how often your mobile app is updated with new code, you might need to conduct external mobile app pen testing 2 to 4 times per year.

    What are your logical next steps to secure your mobile apps?

    Start with this mobile app security checklist to give your development team concrete steps they can take to level up your app's security.

    If you're stuck about which next steps might be relevant to you book a mobile app security discovery call to learn how your team can implement secure mobile apps development processes from our security experts.


     
    SaaS Brief