The best mobile application security practices for developers and users.
With ever-advancing mobile technology, mobile application security has become a vital topic that every major enterprise must consider and understand.
Sensitive information stored on a device could be lost or stolen, which can lead to a data breach, compliance violations, and expensive and/or embarrassing public disclosures.
Large organizations acknowledge mobile device threats and vulnerabilities and perceive that they have correct security protection.
Corporations nowadays leverage mobile applications to distribute relevant, critical data to their workforce, partners, or customers.
The productivity regarding mobile devices comes at a price — security risk increases.
Mobile applications create yet another path into enterprise networks, allowing criminals, fraudsters, and hackers to propagate malicious code.
The following best mobile application security practices for developers are:
Encrypt the Data at All Levels
While device-level security is essential, it is generally a best practice not to rely solely on device-level security. For optimal protection, mobile enterprise data must be encrypted at all levels, including at the file system, application, database access, and device levels. In case you are lost, check NIST guidelines (Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms and Mobile Top 10 2016-M5-Insufficient Cryptography
Use Strong Encryption
All application data should be encrypted with secure encryption—whether data is at rest on the device, or in transit between the device and servers behind your firewall. All information should be secured from end-to-end. Testing for Weak Encryption (OTG-CRYPST-004)
Isolate Application Information
All application information accessed via mobile devices should be completely isolated from a user’s data. Isolating mobile app data requires creating a layer of protection around enterprise-deployed apps, which securely separates corporate data from an employee’s private information and consumer applications. Generally, separating enterprise applications and data is a solution that increases employee satisfaction and productivity while ensuring compliance. More importantly, the container-based method provides that security is uncompromised at every level of transmission, reducing the risk of corporate data loss. Mobile Application and Data Isolation
Enforce User-Level Application Security Policies
App developers should ensure that user-level application policies can be defined and enforced by IT security administrators. Enabling remote-wipe of application data after a failed number of incorrect passwords, disabling sequential numbers in passwords, and requiring special characters in passwords helps to ensure that access to corporate applications and data is protected. Device administration overview
Ensure Secure Network Access
Projects should minimize the need to open inbound ports and explore the network. The secure mobile application solution should only serve encrypted packets, authenticating applications, and granting access solely to those provisioned to specific servers and services — thus preventing rogue attacks. Mobile Top 10 2016-M3-Insecure Communication
Secure the Platform
There should be a strictly controlled security of the platform that involves detecting jailbroken phones and preventing access to other services when needed. IOS Application Security Part 24 – Jailbreak Detection and Evasion
Strong authentication mechanism. Strong application authentication would ensure that users are required to enter a secure password before they can launch the given application. Multistep authentication on secured XML-based Web services for user ID plus password and reliable ID/SMS is recommended. Another recommendation is to check the user’s location with GPS during authentication. Mobile Top 10 2016-M4-Insecure Authentication
Allow authorized users to access only the business functions they are permitted to access. After a user has authenticated, the application can check with the back-end services to determine if the user has the required access to the application data (i.e., whether the user is mobile-enabled or not). The client displays a secure navigation menu based on user permissions/access rights. Permissions/access rights are verified against the background of each request before initiating business functions. Mobile Top 10 2016-M6-Insecure Authorization
Sensitive data should only be stored in memory (and not on the hard drive) until needed. The application cannot store sensitive data on the file system. Confidential information should not be leaked through logs and error messages. The application cache manager must clear data when the application is running in the background. Mobile Top 10 2016-M2-Insecure Data Storage
Secure Data Cleanup
All secure objects in the system (data requests, account information, user-related data, etc.) must be securely wiped when a log-off is triggered. Also, secure objects and data structures should be cleaned when a log-off is triggered. In a case where application tampering is detected, the application should be forced to shut. Sensitive Data Protection Vulnerability
Local Data Transfer Prevention
The application should prevent any data from being locally transferred outside the app (e.g., copying it or sending it to an unauthorized external use). The data from the clipboard should be removed when the app operates in the background so it cannot be transferred outside the application. Disable long press for sensitive fields. Data Security
All network traffic is encrypted. It would be best to use the HTTPS protocol to connect to backend applications. An additional white list of IP addresses and domain names should be maintained on the client-side to prevent apps from talking to other domains not specified on the white list. Transport Layer Protection Cheat Sheet
OS Security Check
Detect if the application is running on a jailbroken/rooted/malware-infected device. Security check provides a score on OS security updates and malware detection. Based on this score, the application can decide to close the app, or the score can be passed to the back-end systems over a secured channel for further investigations/actions.
Preprocessing/String Obfuscating/Symbol Stripping
Eliminate any plain-text resources from the application’s bundle. This prevents malicious attackers from gathering insights on the application internals. The symbol table must be stripped, leaving only the unresolved symbols and forcing the attacker to traverse the data in the runtime code, decode the binary code, or use more sophisticated debugging tactics to map the application symbol to class names, methods, and function names. OWASP Testing Guide v3
Root Certificate Check
The main goal is to secure communications between the client and the backend server. There should be created a certificate check on the client-side to ensure that your organization approves it. Testing for SSL-TLS (OWASP-CM-001)
The mobile app must prevent the debugger from attaching to it (e.g., to read sensitive data from memory in use by another running application). Anti-debugging techniques
The application must verify that no manipulation has occurred. For example, to determine if the app is being debugged, debug flags can be checked. Mobile Top 10 2016-M8-Code Tampering
Older versions of applications must be able to block specific older versions of the application on the back-end server in the event of a security breach.
Security events that happen inside the mobile app should be logged and sent back to the server. Security tips
The mobile application should prevent redirection of its traffic to a malicious server by checking that host-name lookup with DNS resolves to a white-listed IP. DNS Hijacking: How to Identify and Protect Against It
Critical data must be hidden – like property files. Tools can encrypt asset files transparently, so hackers won’t be able to flee with them. Mobile Top 10 2016-M5-Insufficient Cryptography
Mobile application security practices on user level:
Enable automatic updates on your devices, so they are always running the latest version of the operating system and apps. Hackers are always looking for weaknesses in software, and developers are constantly releasing new updates and patches to fix them. Continuously running the latest operating system and mobile applications can make it much harder to penetrate devices.
Always download apps you need and only from trusted sources. For iPads or iPhones, download apps from Apple’s AppStore, for Android, download apps from Google Play; for Amazon tablets, stick with the Amazon App Store. While you may be able to download apps from other sites, these are not vetted and are far more likely to be infected from malicious code. Also, before downloading an app, check to make sure it has lots of positive reviews and is actively updated by the developer. Try to avoid brand new apps, apps with few online reviews. Rarely updated applications can be a serious threat. Less is more: If you don’t use an app, delete it from your phone, which can also eliminate a few risks.
Before installing a new mobile app, make sure you review the privacy options. Besides, periodically check the permissions to ensure they have not changed.
Always backup your data. For mobile devices, you often back up large amounts of information, such as photos or messages automatically. However, backups also store configurations, applications, and other device information, making it much easier to recover from a lost device or migration.
Built-in Safeguards to Prevent Unauthorized Access
The mobile application has a username, password, and six-digit PIN (generated via Google Authenticator, Yubico, etc.), which is needed before accessing the data in the app. Also, it may be necessary to remotely lock out an extraneous person so that he/she cannot (or no longer) access the data stored in the app or prevent download/upload data from/to the server.
The methods described above can serve as a kind of checklist for mobile application security, and we hope they have helped you, whether you are a user, an app developer, or a security specialist. The App-Ray automated mobile security analysis tool we have developed is capable of filtering out the threats and vulnerabilities mentioned above, all automatically and with minimal manual intervention.