Smart phones have replaced memo pads, our check books, accounts, id proofs, cameras, mini storage devices and almost anything that is synonymous with, or holds critical data. Critical data needs stringent Security. All our critical data has shifted to our handheld devices. Now we have to ask, how safe are these mobile apps and how safeguarded is the data that’s stored in them?
Why should you be worried about Mobile App Security?
Have you ever used utility apps like phone scanners? Are you a business owner running a business process on an enterprise app? Be it an individual or a firm, your trade secrets, quotations, employee data, and more sensitive information are all out there. You could be a start up or a SMB with a retail app that stores user’s credit card and bank account details. You could be an app owner whose app works on the freemium model, trading money for features or you could be an individual providing access to your media files and portfolio to use the dog face filter in Snapchat. When you trade your data for an app service and vice-a versa, do you wonder where and how is this data being guarded.
Mobile App Security is an essential but the most underrated feature in a mobile Application, it seems. Neither app owners, nor the app users consider the threats that arise from leaving a loophole in this particular feature.
How and Why do mobile apps access your data ?
When you download an app on your smart device, a devil of a box appears warranting that the app will seek data such as media files, your registered e-mail id and and any native device features that are relevant to the app. As users we click ‘allow’ and accept a free installation. In return we let multiple third parties integrated into the application access our data and device functions.
All is well, but you need to know who is working to secure all this critical data that you have registered with on a random application. Hint: It’s the mobile app development firms like us.
This Data will Appall You!
53 percent of mobile commerce frauds are monetary transaction frauds,says a report on Nasdaq.com. These are carried out using stored credit card details. The rest 47% could be identity thefts, banking frauds and data phishing.
Mobile store/app merchants lost 70% more revenue to fraud in the year 2014 than 2013, which means that the hack attacks are getting more sophisticated and rampant.
Identity theft, hacked facebook accounts, doctored tapes, photographs,financial losses the cost of lost data is more than the cost of a lost device. So what are the mistake certain app development firms and app owners are making and how to fix them? We’ll tell you because we work relentlessly towards securing all mobile apps that we build.
Security breach #1 : High risk interactions and transactions unsecured.
Mobile apps are built to interact with backend services such as banking transactions. In Enterprise apps like CRM apps for specific companies, the backend data is stored using third party integration.Similarly there are third party integrations involved whenever an app pulls out data from a cloud.
Integrations are like joints in a chain, the chain is just as strong as the weakest link.
So all these integrations with the backend require security. Encrypting data using encryption algorithms such as SSL, which is the most widely used algorithm for online encryption currently
Another critical integration is the integration of payment gateways into your applications.
For such gateways and express checkouts that store your debit/credit cards to allow one click payments, there are certain security standards which are followed . PCI DSS ( Payment Card Industry Data Security Standards) guidelines should be adhered to.
|Control objectives||PCI DSS requirements|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect cardholder data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement strong access control measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an information security policy||12. Maintain a policy that addresses information security|
Table source: Wikipedia
These are standards one has to be aware of while handing over contracts to app builders. These are the questions that you need to ask for safeguarding your users of any losses that they might have to incur because of a poorly developed app.
#2: Critical Data Management After an Attack.
In CRM applications, social media APIs, geo-location apps the data that remains stored is personal and is meant to be kept private. Data leaks can ruin people. Thus applications storing personal data need protocols and adherences.
When can this data be compromised?
There are two situations in which this data will be compromised.
1. Device Theft
2. Hacker attack.
What are the solutions?
The solutions to this problem can either be device specific or app specific.
If it’s the former situation and you lose your device, most of them come with the remote selective wipe off. Which means that you can erase sensitive data from your device. Most phones come with a security logins that allow for user
In case you device is stolen or misplaced you can even use selective wipe for apps. Apps like Google +, Gmail, (basically all google applications connected to a google account) on an android device allow users to delete sensitive information, block specific device access or simply wipe off the application and user account from the stolen device. This applies to all popular social media apps like Facebook, LinkedIn, Google+,etc.
Similarly Enterprise apps like CRM applications or internal employee management systems should also have a self destruct code that eliminates critical data in case someone loses their phone or is under a hacker attack. To ensure that employees that leave the firm no longer access the information, selective or partial wipe off options in these applications should be added as well.
Security Breach #3: Fake App Versions That Misguide Users.
The better the mobile app security becomes, the worse the threats become. Faking an app is another malicious practice amongst hackers, cyber criminals. The modus operandi is to obtain a public copy of the application code, replicate an app, have unsuspecting users download the fake version and then extract confidential data for nefarious activities.
Is there a method to secure apps against fake versions ? Yes.
In their own interest , the users should always download apps from Appstore or Playstore.
Any other source should be avoided. Devices generally notify users that they are about to download apps from untrusted sources.
The rest depends on using safe standards of development that includes secure code, encrypted data .
Especially while using third party integrations or cross app integrations. The third party applications should be verified as well. Bugs and malfunctioning code should be fixed and high quality standards should be maintained. Re-usable code should be safeguarded.
All integrations should exchange encrypted data. Regression tests should be run on integration codes well before the system testing is performed. Each integration can be treated as a code unit for Unit testing.
Security in mobile application development should be uncompromised, any solutions that we have suggested above are solutions we have implemented to build our own applications.
Our strict adherence to OWASP standards is a key factor in the development of absolutely secure apps. We also implement binary security in native applications for iOS.
Stick to the blog to know more about our security practices for native apps catering to specific OS. Leave in suggestions and concerns regarding your app’s security and our inhouse experts will get back to you with answers.
The post Mobile App Security : Threats and Solutions appeared first on AppStudioz Blog.