85% of Mobile Apps Violate Security Standards – Here’s How to Make Sure Your App Is Secure
Emily Clark wrote this article
The following is a guest post by Emily Clark of Clutch.co, the leading directory for premiere mobile app developers.
As mobile apps become more integrated into people’s lives, there is a greater need for mobile app security. Although users rely heavily on app discretion and security, 85% of mobile apps violate security standards. This is alarming to me. Apps have access to data such as user behavior, payment methods, and passwords. While most people I talk to are trusting of the security in the apps they use, this trust needs to be justified.
The App Security Standards You Need To Know For Your Mobile App
The most common flaws in app security stem from insecure data storage and communication. The Open Web Application Security Project is a world-wide internet community dedicated to improving software security. The OWASP’s mission is to create public visibility for software security so people and organizations can make informed decisions. As a respected authority on software security, the OWASP released a report that outlined the top 10 mobile app security vulnerabilities that were exploited by cybercriminals. So what are the top 10 mobile app security vulnerabilities that I think you should look out for the most?
Activity Monitoring and Data Retrieval
Activity monitoring and data retrieval occurs when hackers can access phone data through an insecure mobile application. The hacker can turn on your phone’s microphone and record what you are saying discreetly. Further, the attacker can access emails and send them to other addresses, violating your privacy and others’.
Unauthorized Dialing, SMS, and Payments
Today, a common way to spread viruses is through unauthorized text messages. Contacts click the malware hidden in the text message and their phones receive a virus. Hackers tend to access SMS text messaging through vulnerable apps. Most of these types of attacks result in the same effect. There’s either a data breach, defacement of a site, or uploaded malware. Your app should prepare for all entries into the software to effectively prevent cyberattacks.
Unauthorized Network Connectivity
Many companies and homes have a network of devices that all access the same files through the cloud or use the same internet connection. As more users are added to the network, it’s easier for hackers to breach in because each device becomes an access point. Unauthorized network connectivity occurs when one user downloads a corrupted app that can access the network and send data to the attack. Mobile devices, especially, are designed to communicate, which means each connected app can be used as a potential vector for the attacker. Email, SMS, Messenger, and Bluetooth are all examples of possible access points.
User interface impersonation occurs when an attacker poses as a user to access information. Phishing attacks are a common example of UI impersonation as the attacker pretends to be a friendly contact who then sends corrupt links and malware. Malicious apps can create a user interface that impersonates a phone’s native UI to trick others into trusting the source. For example, a user will be asked to authenticate their app account and then sends their passwords and financial information to an attacker.
Attackers will modify your app’s internal system to disguise their presence, otherwise known as “rootkit behavior.” A “rootkit” is malicious computer software that can bypass authorization security and accesses sensitive data, secretly. This breach can make your app more vulnerable to a modified proxy configuration and the copying of messaging.
If your app is loaded with a logic or time bomb, a certain event or action will trigger the bomb to activate and steal or destroy information from the app. Specifically, a logic bomb is a piece of malicious code that triggers when a predicted condition occurs. For example, say the user buys a certain coin in a game that is loaded with the logic bomb. Once that coin is bought, the logic bomb “detonates,” which means the attacker now has access to the app’s system.
Sensitive Data Leakage
Sensitive data is information that is protected against unasked for disclosure. When sensitive data like financial or healthcare information is unsecured on an app, the exposure can result in credit card fraud and identity theft. Sensitive data leakage can either occur by accident or by an attacker. For example, say a user inadvertently sends the wrong person a text message with their location. The user has leaked sensitive information. Hackers can also steal data when posing as another person, who then sends the attacker sensitive data, unknowingly. Such data leakage could include user location, ID information, and authentication credentials.
Unsafe Sensitive Data Storage
Apps can store incredibly important user information that users trust will be protected securely. Still, many apps do not have the proper security measures in place to prevent attackers from easily reading it. Sensitive data, like financial information, should always be stored with a strong encryption process and an authentication system.
Unsafe Sensitive Data Transmission
Many app developers remember to encrypt the stored data on their platform, but forget to encrypt transmitted data. Attackers can snatch sensitive data as it is transferred between apps or servers. Mobile apps are especially vulnerable to mid-transmission attack because they are constantly connecting to different and insecure WiFi.
I’ve seen some app developers “hardcode” passwords, which means they put non-encrypted passwords and keys into their source code. Developers tend to use “hardcode” passwords because they make debugging and implementing the app easier. Unfortunately, these “plain text” passwords are easily available to the public. Attackers simply have to reverse engineer the password and the app is vulnerable to a breach. These breaches are often difficult to detect as well because the attacker manipulated the original password.
Use These 5 Tips to Prevent These Common Security Flaws
Many companies value the rush to market over a secure platform. Developers want to release their app as quickly as possible without evaluating the state of their app’s security. Over a third of app developers (38%) confess they do not scan for app vulnerabilities. As well, 60% of app developers lack confidence in their app’s security and do nothing to fix the problem. So what are some simple tips that you can use to prevent your app from being hacked?
Tip #1: Encrypt Your Code
Implement an effective encryption system from the beginning of app development. Do not leave any open text and limit access to app data to only a few trusted employees. Protect your authentication gateways so that data given from an outside source becomes encrypted. As well, change your passwords frequently so it is harder for hackers to infiltrate.
Tip #2: Validate Outside Data
Assume all user-submitted data could be tainted so make sure to validate any inputs and filter out “dangerous characters.” As well, only construct queries with your own data instead of integrating user input and encrypt all your passwords. Constantly monitor your domain language with effective security tools. Further, don’t store data your app doesn’t need to function. If you don’t collect sensitive data from users then your app won’t be a target for hackers. Ensure that your app needs all the data it stores from user behavior.
Tip #3: Implement Multiple Layers of Security
Structure your app so authorization has multiple layers of security to protect data. A hacker can probably breach at least one security level, which means you should implement more protection through each authenticated layer. If a user signs in from a new location or device, send a code to their phone number to ensure the authenticated user is the same person who is using the app. After you integrate security levels, test them all. Confirm that your app is secure from outside attacks and infiltration. Pretend to be the cybercriminal and try your hardest to access the desired information.
Tip #4: Time Out Users
Make sure your app logs users out properly if it is using sensitive data. Many apps, like banking apps, time out after a certain period of disuse, meaning users are automatically logged out after a certain period of time without actively using the app. These logout procedures make it more difficult for outside parties to access sensitive information.
Tip #5: Change Passwords
Require users to create a complex password with different characters to make it more difficult for hackers to guess. Users should also change passwords every several months. By forcing users to cooperate with a security policy, the more likely their data will be secure. As long as the password creation process is simple, users tend not to mind the extra effort for protection.
Why Do These Flaws Matter?
If your app does not have strong security measures, then it will likely not be a sustainable business. App developers value daily active users as the most important metric to app success. As such, you need to attract consumers to your app to maintain success, and no user will share financial information with an app that is constantly hacked. Cyberattacks damage your app’s reputation and deter other potential customers from downloading your app.
Furthermore, cyberattacks can make an app developer vulnerable to lawsuits as hackers steal important information. Most security breaches stem from a lack of proper data storage and sensitive information attacks that result in identity theft and fraud. A lack of security can result in high costs and a ruined brand name.
Make sure you implement security measures from the beginning of development. Test the effectiveness of your app protection and maintain customer trust. App security can only improve your app’s quality and reputation.
Want to read more from Emily Clark of Clutch.co? Click here.