In 2015, the mobile app is king. The applications we download on our mobile devices entertain us, keep us in touch with our loved ones, show us who’s single nearby, share anything we want about our lives with the world – and so much more. And thousands of new applications are added to the marketplace. Every single day.
There’s a 1991 ad from Radio Shack depicting “great prices” for all the things we now use our cell phones for. ‘High-tech’ devices like s VHS camcorder, a discman, a tape recorder are proudly displayed – all technologies made pretty much obsolete with a variety of handy applications on our much more compact and relatively cheap mobiles.
It’s an exciting time to be a part of the app economy – But there’s a major point of concern that many app developers are choosing to ignore: mobile app security.
Organizations developing apps, whether just for in-house use or for a wider consumer base have a lot of catching up to do to bring the level of security integrated within apps up to the high-caliber features available on the market today.
Today, this is the sad state of mobile application security. We have 33% of organizations who never test the mobile applications they develop and 40% of enterprises – including Fortune 500 companies – who were found to not protect the customers they’re developing for. We have around 11.6 million devices vulnerable to attack, according to the latest Ponemon study on the State of Mobile Application Insecurity. And with only 50% of the same organizations given any budget at all towards mobile appsec, it’s no surprise that it gets little attention.
What’s the Big Deal?
Reports have stated that up to 95% of mobile applications are vulnerable, with a median number of 6.5 vulnerabilities per app. At the same time, mobile applications are constantly added to the market, and with an average of 36 apps downloaded per smartphone user, it should come as no surprise that a few apps out there are bad apples.
And whether you’re working on Android or iOS, your workload isn’t lessened when it comes to security testing for either one of them. Sure, we’ve just had (are in the midst of, more realistically speaking) the Stagefright vulnerability scare – but we also had an SMS scare on iOS just this past May.
The platform you’re developing for doesn’t lessen the workload in terms of security testing and developing applications securely from the get-go. While there may be more ‘dirt’ on Android than iOS, due to Google’s lack of oversight in its app store, lax app permission policies, or even the insecure yet standard browser used by many Android devices, it doesn’t get you out of doing less security testing when developing an iOS app. Because in the end, even Steve Jobs baby isn’t a fortress – hackers have been relentlessly trying to get in through apps since iOS and the iPhone was launched.
As users use their mobiles in more and more different ways, we as the developers and defenders behind the application need to pay special attention to making sure the correct security steps are being done.
As you can see, people are using their smartphones in ways that could easily leave their information vulnerable if the apps aren’t correctly secured. Whether they’re your customers or employees, the breaches that can happen by releasing insecure apps can be detrimental to your reputation, your bottom line, and your future as an organization.
Why is Mobile AppSec largely ignored?
There are several factors at blame for the lack of attention given to mobile appsec. While many of the reasons don’t stem from similar factors around software and web application security, the main reason is very similar: The organizational focus is put on providing better features, faster, over making sure the features don’t cause security concerns.
The Ponemon study also found that many organizations wait too long to perform security testing or use it too infrequently to make a difference. But, Larry Ponemon says, “ retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work.”
Factors for why apps are not being developed securely:
- Too much focus placed on developing apps for convenience and speed and not enough on keeping users secure
- Developers unaware of the security implications of the platform they’re developing on
- Users don’t understand or equate security with amount of features
- Lack of consistent security testing throughout the SDLC
- Lack of QA and testing
- Accidental coding errors (presumably due to lack of knowledge of how those errors would affect the app)
Before we get into best practices for mobile AppSec, we need to reiterate why it is important, and what’s at stake if security isn’t taken into careful consideration during application development.
Security considerations are especially important for mobile applications due to their wide array of uses and implications within the organization and outside of it. Data that was once by default kept within the organization can now be taken outside of the office, with lots of implications for how data gets treated by individual employees under little oversight.
Attackers going after mobile apps are usually looking for one of four things: Personally Identifiable Information (PII) – including employee information to be used against the victim, bank/financial data, user credentials for the phone or other online services, and finally, they could be trying to take over the device.
15 Best Practices for Mobile Application Security:
- Do NOT store PII or other sensitive data on the user device
- Do NOT rely on built-in key chains
- Do practice defense in depth using the types of application security testing best suited for your budget and needs. SAST testing is especially critical here, as reviewing the source code is the best way to find flaws as early in the SDL/SDLC as possible.
- Do limit permissions to only the most necessary components required for the app to function correctly
- Do implement proper TLS by ensuring HTTPS is always used. Keep in mind how vulnerable your consumer will be on wi-fi networks.
- Do NOT hard-code data within the app
- Do invalidate a user’s session upon logout – on both the client and server side. Additionally, always log users out after a certain amount of inactive time in the application
- Do implement OAuth 2.0 where possible to reduce the chance of attackers performing man-in-the-middle attacks
- Do know which regulations your application needs to adhere to (PCI-DSS, HIPAA, etc.) and ensure that these are being addressed in the design stage.
- Do understand the nuances of each platform you’re developing for, whether it’s iOS, Android, or Windows
- Do ensure proper session management
- Do define trust boundaries
- Do use proper binary protection to combat buffer overflow and stack overflow attacks, along with jailbreaking
- Do understand what data will be collected and let that steer your security steps
- And finally – Do whatever is in your power to keep your mobile app consumer’s – whether employees or customers – data secure and trust intact.
What other best practices would you add to the list?