Four tips for developing high-quality, secure mobile apps – SC Media | Hot Mobile Press

Mobile app developers must have a thorough understanding of the mobile attack surface to protect organizations from threats. On this surface, developers and security professionals must contend with a variety of security and privacy challenges that arise across applications, network connections, storage locations, and hundreds of devices, each with its own firmware. To reduce risk, mobile app developers and DevSecOps need to understand important differences in security and privacy between mobile and web apps.

The mobile attack surface acts as a sum of various entry points where an unauthorized user can enter or extract data from a mobile device. In this environment, mobile app developers can inadvertently make a variety of mistakes, and attackers can exploit them to reverse engineer an app, take control of a remote device, and even steal valuable data. To reduce risk across the mobile attack surface, mobile app developers and security analysts must look to automated testing tools that evaluate app binaries using a mix of static, dynamic, and interactive testing methods.

The larger the attack surface, the more insecure a system becomes. Mobile applications often traverse many networks and interact with systems owned and operated by many parties to achieve their intended goals. Mobile app development requires considering the limitations and capabilities of devices and the unique network connections that enable true mobility.

Consider these four key points to develop quality mobile apps while keeping security in mind:

Adopt the mindset of an attacker.

When building a mobile app, developers approach it from a developer’s perspective; They take into account the installed mobile app, the operating system for the software, and whether the hardware runs on a phone or a tablet. Attackers think beyond the obvious and look for vulnerabilities in the app that prevent or limit detection. Threat actors can use one or more attack vectors to achieve their nefarious goals. Threat modeling can help security teams think like an attacker and uncover potential attack vectors and effects.

Common attack vectors include phishing, man-in-the-middle attacks, and weak/compromised credentials. However, there are other risk areas that mobile developers cannot control. A stolen device can expose the victim’s data through both simple and sophisticated data recovery techniques. Alternatively, a device may be outdated, jailbroken, or otherwise compromised.

Focus on what the security team can control.

It’s more important for developers and security teams to focus on the necessary tasks that they can control from the mobile app. Developers and security personnel cannot control other applications installed on the device, which are potentially malicious, fake or market data apps designed to collect data from a user’s device. Developers and security personnel cannot control whether the device connects to unsecured Wi-Fi, malicious USB chargers, or infected peripherals.

Developers have control over the code functionality, the data they can write to the device from the app or data-at-rest, and the data that is communicated from the device by the app or data-in-motion. By banding together to focus solely on these, developers and security teams can reduce the attack surface.

Security and privacy gaps lurk deep within every application. Think of the code itself as the first line of defense best controlled by DevSecOps. Potential security and privacy vulnerabilities in code functionality include escalated privileges, configuration tampering, and insecure third-party libraries.

Secure data at rest and in motion.

Developers should ensure their apps protect user privacy, sensitive data, and confidential business materials. Then it is important to ensure secure data storage, otherwise apps can leak data and face fines if they do not comply with regulatory standards such as GDPR or HIPAA. These compliance incidents also damage brand reputation and customer trust.

Android and iOS mobile apps can store data on the device itself (data at rest). Data cached incorrectly or with weak encryption can reveal passwords, account information, or other sensitive data. Data in motion refers to data being transported between the app and the host over the internet. Unsecured network communications can lead to man-in-the-middle attacks and data interception.

DevSecOps can control data at rest and in motion. Teams are required to perform mobile application security testing prior to any release to ensure data integrity.

Follow best practices.

Dealing with the risks inherent in the mobile attack surface requires an open and curious mind. Mobile app developers and security teams should find out if the app requires specific permissions, e.g. B. accessing contacts, or questioning how the app stores data or sends information to a server.

Developers and security teams need to fully visualize an organization’s entire ecosystem, mapping all devices, paths, and networks. They need to think like their opponents and focus on tasks they can control, namely code functionality and data-at-rest and data-in-motion. Most importantly, DevSecOps should become students of security standards developed by the Open Web Application Security Project (OWASP), such as: B. OWASP Mobile Top 10 and OWASP Mobile Application Security Verification Standards (MASVS).

Android and iOS developers can learn secure coding practices through the NowSecure Academy. We offer NowSecure Academy as a free training and paid certification resource to educate developers, architects, QA and security teams.

Brian C. Reed, Chief Mobility Officer, NowSecure

Leave a Comment