May 07, 2014
Everything is going mobile. Whilst traditionally software developers would build applications only to be used on a small number of platforms, that number has quickly ballooned to hundreds. Developers now build applications for all kinds of tablets, mobile phones, desktops and variations thereof, which present all new security risks. That leads to a challenge for developers: how do you ensure that the mobile applications you're building are secure? We share an introduction to secure mobile application development, which begins with understanding the biggest mobile application security risks.
The Biggest Mobile Application Security Risks
According to the OWASP mobile security project, the top ten mobile application security risks are as follows:
- Weak Server Side Controls - Almost anything that a mobile application can do poorly that doesn't actually take place on the phone.
- Insecure Data Storage - Storing data insecurely, so that it can be accessed by other malicious apps, or if the phone is stolen by an attacker.
- Insufficient Transport Layer Protection - Not using SSL or other encryption methods to securely transfer data across mobile networks.
- Unintended Data Leakage - Usually caused by the way a framework, operating system, compiler or hardware manages data without the developer's knowledge.
- Poor Authorisation and Authentication - For example authenticating users locally and "remember me" style login systems that store the user's password on the device.
- Broken Cryptography - For example, poorly managing encryption keys, or using custom encryption protocols.
- Client Side Injection - This can include MySQL injection attacks, XSS attacks and similar.
- Security Decisions Via Untrusted Inputs - If you do not whitelist applications, other mobile apps could potentially communicate with your app, compromising its security.
- Improper Session Handling - This can be anything from not timing out logins fast enough, through to only invalidating sessions on the mobile app, not on the server side too.
- Lack of Binary Protections - If you are hosting your application in an untrustworthy environment, then an attacker could potentially reverse engineer your app, embed new code and then re-upload it, unknown to those downloading and installing it.
Ten Tips For Minimising The Risks
There are hundreds of things a developer needs to bear in mind to develop secure mobile applications, but a large number of attacks can be prevented by following the ten pieces of simple advice listed below.
Threat model your mobile applications - Think about all the possible ways that your applications could be compromised. What happens if a user's phone gets stolen? What if a malicious app was somehow installed on the device? If the device connected to an untrustworthy wifi network?
It's only by modeling these attacks that you can think about ways to protect against them.
- Be careful with what you store on user devices - As a general rule, don't store anything you don't have to on the user's device. The less confidential or potentially sensitive information you can store on the user's device, the better.
- Use two-factor authentication where possible - Two-factor authentication can help you to protect against numerous attack types. For example, if your app asks the user for a password, you can ask them to draw a pattern, or type a memorable word too.
- Obfuscate code before release - You want to make it as hard as possible for an attacker to reverse engineer your application. By obfuscating code you increase the level of skill required by an attacker to cause damage.
- Carefully manage 3rd party services - Don't accept communication from other apps or web services without protection. A good policy is to whitelist other applications or services, so that only they can communicate with your application. Treat all communication as suspicious, even from whitelisted applications.
- Utilise minimum security best practices - Minimum best practices can stop 80% of security attacks. This is just as true for mobile as it is other platforms.
- Don't store keys in RAM longer than necessary - When you are storing encryption keys in memory, always nullify the variable as soon as possible. Don't leave encryption keys, unencrypted passwords or other information sitting in memory for long lengths of time.
- Fully validate SSL certificates - Always fully validate SSL certificates with any server you communicate with, and don't transmit sensitive information without SSL enabled.
- Use appropriate session controls - Kill sessions when the device isn't used for a period of time, both on the device itself and the server side. Don't leave sessions open unchecked for long periods of time.
- Always store data securely - Use proven encryption algorithms to store sensitive data on a user's device. Never store sensitive data like usernames, passwords, or personally identifiable information in plain text.
Whilst it is extremely difficult to build an application that is completely invulnerable across hundreds of different mobile phones (read: impossible), by following the above tips you'll avoid the biggest mistakes, and build more secure applications.Have any secure mobile application development tips of your own to share? Discuss them with our readers in the comments below.