Mobile devices allow us to do nearly everything online—from anywhere, at any time. We can do our banking, track our fitness, control Internet of Things devices in our homes, shop, and even work remotely. Driving this mobile productivity are a multitude of mobile apps—software that connect to APIs and servers around the world to deliver data, services, and, ultimately, value and convenience to users.
But this all has to happen under a cloak of well-engineered security or companies risk jeopardizing their apps, their own system, their customers’ information, and their reputations. Because where digital activity thrives, hackers aren’t far behind.
Apps and mobile devices are big targets for malicious activity. Arxan Technology’s 2016 State of App Security reported that 90% of apps surveyed had at least 2/10 of OWASP’s major security risks. Arxan also reported that around 50% of organizations haven’t allocated any spending toward mobile app security—a pretty big discrepancy when you consider the risks of not securing a mobile app.
Hackers with malicious intent can:
Inject malware into apps and onto devices where it can access data, store keystrokes, and steal screen lock passcodes
Tamper with or copy your app’s code and reverse-engineer a spoof app containing malware
Intercept sensitive information traveling over the airwaves
Steal customer data for identity theft or fraud purposes
Get hold of intellectual property and private business assets
Access your IP or compromise your company’s back-end network
Mobile apps and the APIs that power them have the potential to make systems and data vulnerable if they aren’t properly secured. Customers expect apps to be secure, and it can be easy to take that trust for granted. For apps that deal in large amounts of data or have strict compliance requirements, like finance or healthcare, this is especially true.
What can you do to secure your mobile app?
If you’re creating an app or have an app in market, chances are you’ve stopped to consider how to secure your app, your data, and your customer’s data.
A mobile app has a good bit of plumbing to make it work: there’s the software code itself, the business logic on the back end network and the client side, databases, APIs funneling data between the two, the device and its operating system, and the user. Each plays an important role in the fabric of the app’s security. For companies with mobile apps in a crowded, competitive market, having robust security could be a big differentiator. Here’s a look at a few tips for you to consider with mobile app security, and which experts can help you protect your mobile assets from every angle.
1.Secure your app’s code from the ground up.
Similar to any software project, mobile software security needs to be a priority from day one. However, native apps are different from web applications, where data and software exist securely on a server and the client-side (or, browser) is just an interface. With native apps however, that code resides on the device once it’s downloaded, making it more accessible to those with malicious intent.
Many vulnerabilities can exist in an app’s source code, but that’s not where businesses focus their security spending. Network and data security components are important parts of the overall security picture, but security has to start with the app itself. Vulnerabilities can be caused by developer error, failure to test the code, or your app may just be targeted specifically by a hacker.
Protect app code with encryption. You want the code to be secret, and hard to read. Obfuscation and minification are common measures, but they’re not enough. Stick with modern, well-supported algorithms coupled with API encryption.
Test code for vulnerabilities, or run source code scanning.
Hardened, secure app code should be portable between devices and operating systems, and be easy to patch and update. You don’t want users stuck without an update after a breach, so engineer code to be as agile as possible.
Keep in mind things like file size, runtime memory, performance, and data and battery usage when adding security to an app. You want it to be secure, but not at the cost of performance and user experience.
It’s easy to rely on an app store’s approval as proof that your app is secure, but that would be a mistake. Apps have to be tested and approved, but app store approval processes aren’t 100% infallible, and some unsafe native apps have been approved in the past.
2. Secure your network connections on the back end.
Servers and cloud servers that an app’s APIs are accessing (your own, or third-party) should have security measures in place to protect data and prevent unauthorized access. APIs and those accessing them should be verified to prevent eavesdropping on sensitive information passing from the client back to the app’s server and database.
Containerization is a method of creating encrypted containers for securely storing your data and documents.
Consult a network security specialist to conduct penetration testing and vulnerability assessments of your network to ensure the right data is protected in the right ways.
Database encryption and encrypted connections with a VPN (virtual private network), SSL (secure sockets layer), or TLS (transport layer security) add extra security.
Federation is a next-level security measure that spreads resources out across servers so they’re not all in one place, and separates key resources from users, often with encryption measures.
3. Put identification, authentication, and authorization measures in place.
As with APIs, authentication and authorization technology help users prove to an app who they are, adding another layer of security to the login process.
If your app relies on someone else’s API for functionality, use caution. You’re relying on their code to be secure. Make sure the APIs your app uses only provide access to the parts of your app that are absolutely necessary to minimize vulnerability.
OAuth2 has become the gold-standard protocol for managing secure connections via user-specific, one-time tokens. Installing this framework on your authorization server and customizing it to your needs will allow you to grant user permissions between the client and end users by collecting credentials, like 2-factor SMS questions.
JSON web tokens for encrypted data exchange are lightweight and ideal for mobile security.
OpenID Connect is a federation protocol specifically designed for mobile. It allows users to reuse their same credentials across multiple domains with an ID token, so they don’t have to register and sign in at each point.
4. Be mindful of how customer data is secured and implement a good mobile encryption policy.
As mentioned above, more of a mobile app’s code and data has to be stored on a device than with a traditional web app because you’re accounting for the varying performance, bandwidth, and quality of devices. The more data that’s stored locally on a device (whether that’s permanently, or just temporarily), the more vulnerable it is.
“Leaky” apps can release customer data without users knowing it—mobile data points that are entered or collected in the background like age, location, device usage habits.
File-level encryption protects data on a file-by-file basis, and is a way to encrypt at-rest data so it cannot be read if intercepted.
Encrypt mobile databases. For example, the Appcelerator platform offers an encrypted SQLite module so data stored locally is safe.
Design apps so that very sensitive customer data like passwords, credit card information, etc. aren’t stored directly on a device. If they are stored there, make sure it’s secure, encrypted storage. For example, iOS has an encrypted data storage in its keychain. Note what data and analytics are being collected, how, and when, and where that data moves.
Make key management a priority—even a strong algorithm can be negated if keys and certificates are vulnerable to hackers. If a key is shipped within an app’s byte code, for example, that makes any encryption moot.
5. Have a solid API security strategy in place.
Because mobile development hinges so squarely on APIs, a large portion of securing mobile apps is securing their APIs. APIs flow data between applications, the cloud, and a multitude of different users, all of whom need to be verified and authorized to access that data. APIs are the main conduits for content, functionality, and data, so ensuring proper API security is an important part of the chain.
There are three main security measures that comprise a well-built API security stack: identification, authentication, and authorization.
Read more in this article, Tips for Building a Safe and Secure API.
6. Test your app software—then test again.
Testing app code is usually crucial in an app’s development process. Apps are being produced so rapidly, what should be an important step in the process often falls to the wayside to speed up time to market.
When testing for functionality and usability, experts advise to also test for security, whether your app is a native, hybrid, or web app. You’ll be able to detect vulnerabilities in the code so you can correct them before publishing your app out.
Penetration testing entails deliberately probing a network or system for weaknesses.
Test thoroughly for authentication and authorization, data security issues, and session management.
Emulators for devices, operating systems, and browsers let you test how an app will perform in a simulated environment.
7. Users: Protect your devices.
App makers can’t do a lot to ensure users have secure devices when they’re downloading apps, but here are a few pointers for users who want to avoid security issues, or identity theft or fraud if a device is lost or stolen.
Don’t use a jailbroken or rooted device. This removes the built-in security measures the device comes with and you’re left more vulnerable as a result.
Only download apps from trusted sources, like authorized app stores.
8. If you’re an enterprise organization with a BYOD (bring your own device) policy, use extra caution.
For companies that allow employees to use their own devices, this can also open up the network to hacking vulnerabilities and make it harder for the IT department to regulate access to data on their backend systems. Mobile device management (MDM) products are often a worthy investment, like Airwatch and MobileIron. These can give employees the convenience of working on the go, but also give companies peace of mind when it comes to security.
Implement a VPN to create a secure connection that’s less likely to be vulnerable to hackers listening in over an unsecure network.
Block unauthorized devices, and secure cleared devices with firewall, antivirus, and anti-spam software
Make devices “risk-aware” so that apps attempting to make certain transactions are blocked from doing so. Apps can be coded to detect and block certain transactions from rooted devices.
Or, enable “remote wipe” capabilities to remove sensitive data from a device that’s been lost or stolen, or belongs to someone no longer with the company.
Mobile is increasingly where users are, and increasingly where hackers are lurking to try and steal sensitive information and compromise app security. With a solid mobile security strategy and a top-notch mobile developer on hand to help you respond quickly to threats and bugs, your app will be a safer, more secure place for users—and ensure their loyalty (and your assets) for the future.