Closing the Security Gap in Mobile App Development
You know there’s an issue when the very industry that promotes standards related to security, is having an issue with security vulnerability. Internet of Things (IoT) systems are being easily compromised by hackers. A recent study by HP found that one of every 10 popular Internet-connected security systems – as in systems implemented to increase your security and peace of mind and reduce your risk like cameras and locks – had significant security vulnerabilities that allow for hackers to access them and ultimately control them.There are a growing number of major Fortune 500 companies developing mobile apps that have security issues as well. These are companies we really want to trust, like banks, health care and online retail organizations handling our billing and personal health information. The hackers themselves have reached a new level of attention in the eyes of the public. 60 minutes featured a story with hackers selling the malware that was used to hack into Sony, now widely available to anyone who has the ability to pay for it.
It is concerning to discover that cyber security experts say over 40 percent of companies developing mobile apps do not scan their apps for vulnerabilities before releasing them to the public. Some test only a portion of their apps or never test them at all. Corporate budgets often don’t include funds for testing. We are seeing only the beginnings of regulations being put in place to deal with this reality.
Serious data breaches can cost companies millions of dollars. The issue causes firms to invest in securing their IT networks, computers and servers linked to them. But strangely, not the mobile apps that are brought into the workplace on worker’s mobile devices. With mobile devices and the amount of data growing at a rapid pace, the opportunities for hackers are growing as well. Companies will be forced to take action and protect themselves from mobile data breaches from unverified apps downloaded by personnel on work devices connected to company networks. What does the company stand to lose? The reputation of brands for products and services, sensitive documents, proprietary information, customers, amounts in the millions of dollars.
The day is coming soon when it will be assumed that the mobile app developer has done everything within his or her power to build security into the core of the app design.
The vast mobile network is complex, and because it is interconnected it will always be a target for hackers. There are many security strategies to think through. Protecting consumer and organizational information is primary, along with key security areas that should be addressed in the app development process:
Use Stable Cryptography
Use encryption that hasn’t been broken or solved. This area is a moving target, always changing, but a rule is to use state of the art encryption APIs that are accepted by the security industry. Use strong encryption algorithms with unique keys in vulnerable areas. If you’re not certain, you may want to pursue manual testing.
Secure data storage
Critical information such as passwords and credit card numbers should be stored safely in an encrypted data section and not directly on a device. Disallow back-up, and note that these encrypted areas are different for iOS and Android. This approach helps to avoid a scenario where an unauthorized person can get access to passwords from a mobile phone and uses the same credentials across multiple systems to gain access and the breach becomes multilayered.
Vulnerability on the server-side of the mobile app
Consider the threat on the server side to be an untrustworthy connection to a backend API service that takes you outside of your network, such as a website, a user, any vulnerable app on the mobile device. The servers the app is accessing must be secure enough to prevent attackers or unauthorized users from accessing data.
Prevent Security decisions via untrusted apps
This risk has to do with other mobile apps communicating with yours and introducing a security breach. On apps with an opening to accept data, use sufficient encryption and whitelist acceptable applications to prevent unauthorized apps from running or allowing attackers to bypass your security.
Accidental data leaks
The ability for an app to collect large amounts of data and the specifics of how that data moves or changes can expose the app developer and client to violations of privacy or compliances under HIPAA / FERPA / FISMA / PCI laws. Use caution when selecting operating systems or providers who analyze data. The advertising industry sometimes gets caught violating consumer privacy laws in the way it manages data.
These are just some of the areas of caution when you consider the security of business or consumer data as they relate to higher risk apps that collect locations, personal information or use remote servers. Simple, low risk apps, that function independently of servers and track things like lists or act as alarm clocks require much less attention to security.
If this article convinces you low risk is the way to go and high risk app development is best left to the professionals, then that’s a good thing.
Following are links to professional mobile app security resources:
McAfee, Infosec Institute, Rietta.com, Android Security Features, iOS Security Features
There is help out there in the ever changing world of app security, so you can get back to coding and the stuff you enjoy doing.
Comments
Tags: encryption, iot, mobile apps, security
Trackback from your site.