Mobile App Security

Common Oversights in Mobile App Security

Aug 02, 2016 By Kevin Beaver

Mobile apps arguably have the greatest number of security flaws of any enterprise system – and no one seems to know much about them. Mobile app security flaws are numerous across all types of business apps. But why?


Perhaps it’s the mentality that “it’s just an app” or the reality that many business owners, especially those in smaller businesses who might not have advanced security, fall for the marketing hype of “we’ve got to have a mobile app,” without including security in the discussion. Mobile apps are as complex as ever, yet the security flaws are very predictable – and the bad guys know it.


Recent examples of the technical security flaws in mobile apps I’ve found include:

  • Unencrypted communication sessions
  • Weak passwords
  • Hard-coded passwords and cryptographic keys often for connecting to critical back-end systems
  • SQL injection
  • Sensitive information left behind, even after uninstalling


Vulnerabilities such as these can quickly create business risks, not to mention compliance gaps for PCI DSS, HIPAA and so on.


What does it take to find and eliminate these security flaws or, better yet, avoid them altogether?  These things are largely dependent on acknowledging the challenges in the first place. Mobile apps need to be part of your information risk management program which means that they need to be tested ideally during the SDLC or, worst-case, during ongoing security assessments or after any code or application environment changes are made. You need to look at your mobile apps from the perspectives of penetration testing, forensics, and source code analysis because they’re all going to uncover different things.


Free Resources for Mobile App Security


I’m also a big proponent of using resources from outside parties – especially when they’re free. Good examples include the following:


Mobile apps not only present great business opportunities but also opportunities for ill-gotten gains. Even if they are seemingly benign marketing or field apps that process and store nothing of value, they can serve as an entry point or steppingstone into a bigger environment that can be used against you and your business. You wouldn’t let that happen with web applications – mobile apps should be no different.


jumping 1


Dig deeper into the current State of Mobile Application Security in our latest research here!

The following two tabs change content below.

Kevin Beaver

Information Security Consultant at Principle Logic, LLC
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 27 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached via his website at and you can also connect with him on Twitter and on Youtube.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.