Lock It Up: Top 5 Mobile Security Issues Your App Must Avoid

Business.com / Technology / Last Modified: February 22, 2017

Discover the most dangerous vulnerabilities to identify and eliminate from your mobile app before releasing it.

Mobile security risks have currently exceeded computer security risks. A fact recognized by large IT security companies such as Arxan, IBM, or NowSecure.

Undoubtedly, smartphones have stopped being simple devices which people use from time to time. Instead, they have become a part of their identity.

Any smartphone usually holds the owner’s list of personal and business contacts, email and social media accounts and, in increasing numbers, even access to their money through mobile banking and mobile payment systems.

What Are the Implications of Living in a Mobile World?

For the general public, using smartphones to navigate through the streets using the GPS function, to read and answer their emails, and to browse online stores and make purchases has become a second nature. And whenever they want to get in contact with a business entity, they search and install their app on their phone.

How does every newly installed app impact the overall security of a smartphone? This is the key question for IT and mobile security experts. The data is not encouraging, indicating, above all, a great disparity between how secure people believe mobile apps to be and how secure they really are.

Related Article: Pocket Payments: How To Find The Right Mobile Payment System For Your Business

How Secure Are Mobile Apps and Smartphones?

Arxan’s 5th Annual State of Application Security Report issued in January 2016 presents these findings:

  • 84 percent of smartphone users believe that their mobile apps are secure; and
  • 63 percent of them believe that app owners do everything to make their apps safe.

 On the other hand, there is a worrisome survey conducted by Ponemon Institute on behalf of IBM showing that:

  • Less than 50 percent of companies test their mobile apps for security issues before releasing them; and
  • 33 percent of companies do not test their mobile apps at all.
     

Besides these findings, there are also the findings included in NowSecure’s Mobile Security Report which show that 43 percent of smartphone users do not lock their devices using a PIN number, a password or a screen pattern, while 35 percent of mobile phone communications (voice and data) are unencrypted.

These statistics lead to only one conclusion: if a mobile app contains a vulnerability or a malicious code, it can take control over a device, leak sensitive data, and put a third party in possession of personal and business data which can enable identity theft to an unprecedented scale.

In this context, ensuring that your organization’s mobile app is secure before it is published in the App Store or on Google Play is of paramount importance. In order to facilitate your app security audit, these are the top 5 vulnerabilities you should check for:

1. Reverse Engineering

This concept was “imported” straight from its industrial counterpart. Reverse engineering signifies taking apart an app code, finding its core components and making slight, but critical changes. Through reverse engineering, an unauthorized third party can use your app to gain access and control to any device it is installed on.

Thus, the hacker can even interact with the device owner, impersonate your company and gain both financial benefits and access to sensitive data.

How to Prevent It

Allow contractors or employees to work on your code only in authorized and secure premises, using company computers which have efficient security software installed on it. Do not allow remote work on personal computers or outsourcing to overseas sub-contractors.

Also, remember to scan the code on a regular basis during the development phase and after the app is published.

Related Article: Is Fingerprinting the Next Mobile Security Option?

2. Extraneous Vulnerability

This occurs when your mobile app has a backdoor implemented in it from the moment it is being developed, authorizing the access of a third party to the app, and to the back-end containing user data. This vulnerability may even be accidental, for example if the app developer includes the login data in a comment to the code for convenience reasons and forgets to delete them when the code is completed.

How to Prevent It

Implement best practices related to confidentiality and cyber security, make sure that every person working on the code for your organization’s mobile app applies them, and scan the code to identify inadvertent login or other confidential data left in comments.

3. Insecure Data Storage

Data leaks are a major cause of concern for every device and, in the case of mobile apps, data can be leaked from various sources, starting with the device on which the app is installed and ending with the SQL database and cloud storage where you keep customer data. The consequences of insecure data storage are almost incalculable, from material loss and reputation loss to identity theft and fraud.

How to Prevent It

There are three major ways in which you can improve the safety of your app code:

  • By observing how the OS caches data, logging sessions, images, key-presses, and buffers;
  • By observing how development framework caches data, images, logging sessions, key-presses, and buffers;
  • By observing the modality or quantity of data ad, analytic, social, or enablement frameworks cache data, images, logging session, key-presses, and buffers.


4. Insufficient Encryption

This can be exploited during the communication sessions when data is exchanged between a device and the server where the backend of the app is stored. Most frequently, it is caused by weak ciphers, predictable randomness in generating session encryption keys or using the wrong type of encryption.

How to Prevent It

Always conduct extensive encryption testing on your code, simulating all potential attempts to attack and exploit the app.

Related Article: Show Me the (Mobile) Money: How Mobile Payments Will Change Your Business

5. Insecure Authorization

Mostly caused by incomplete logging out of accounts, this type of vulnerability will grant access to a customer’s account on your app to an unauthorized third party. Most of the time, this is caused by the fact that the login session is only terminated on the user’s device, but remains active for a longer period of time at the server level.

How to Prevent It

Always check for end-to-end logout sessions and fix any errors in the code that allows a server session to remain active once the client has stopped interacting with the app on their device.

Login to Business.com

Social Login
Login with Your Account
Forgot Password?
New to Business.com? Join for Free

Join Business.com

Sign Up with Your Social Account
Create an Account
Sign In

Use of this website constitutes acceptance of the Terms of Use, Community Guidelines, and Privacy Policy.

Reset Your Password

Enter your email address and we'll send you an email with a link to reset your password.

Cancel