Mobile devices account for more than 60% of all visits to U.S. websites, according to Perficient, meaning many businesses are taking a mobile-first approach. While most developers appreciate the importance of good mobile user experiences, relatively few appreciate the security differences between mobile and desktop.
Let's look at five trends in mobile security that developers should keep in mind when building software.Many developers are familiar with mobile UX, few are concerned with mobile security. Here's what you should keep in mind. Click To Tweet
#1. Social Engineering
Social engineering is one of the most common attack vectors. In fact, FireEye found that more than 90% of cybercrimes start with an email containing a malicious link, attachment, or request. If your app supports communication between users, you should take precautions to ensure that phishing attempts are detected and blocked at the server level.
Cybercriminals have also become proficient at SIM jacking. After swiping a mobile number, they're able to complete two-factor authentication requests involving SMS codes. These trends mean that mobile developers should consider using biometrics (e.g., face recognition) or multiple factor authentication (MFA) to secure their users' accounts.
#2. Third-Party Libraries
Most mobile apps make extensive use of third-party libraries and dependencies. Unfortunately, poorly maintained libraries can inadvertently introduce security vulnerabilities. In some cases, cybercriminals have introduced vulnerabilities into popular libraries or created vulnerable versions of popular libraries and tricked developers into using them.
The best way to avoid these problems is to use controlled internal repositories and policy controls to protect them from vulnerabilities. Alternatively, developers can strictly define and test each version of a third-party library to identify and avoid any vulnerabilities rather than automatically using the latest versions in production.
Strong passwords are difficult enough to enforce on the desktop, but they can be downright impossible with mobile keyboards. In addition to enforcing good password hygiene (e.g., requirements), developers should consider using OAuth to authenticate with Google, Apple, Facebook, or other providers that can handle password security.
Other authentication strategies include:
- Multi-factor Authentication: SIM jacking may be increasingly prevalent, but other forms of multi-factor authentication can help verify a user's identity beyond their password, such as by using a hardware security key.
- Biometrics: Google and Apple devices often have biometric capabilities built-in (e.g., fingerprint or face recognition) to confirm a user's identity before signing them into the device, eliminating risks from a stolen device.
- Risk Assessment Tools: IP tracking, challenge-response protocols, and device reputational controls can help proactively block cyber criminals before they attempt to use a stolen password to gain access.
Authentication requests should happen on the server side. Upon success, the data should be loaded on the mobile device. This ensures that the data is only loaded after successful authentication. Authorization and permissions should happen using data on the backend server rather than data stored on the mobile device.
Mobile sessions typically last longer than desktop browser sessions, making session handling more challenging for servers to manage. While device identifiers are convenient, session tokens can be easily revoked at any time, making them more secure in the event of a lost or stolen device. It's also a good idea to enable remote sign-out capabilities in case of loss of theft.
Once signed in, developers should always keep in mind the principle of least privilege—apps shouldn't request more privileges than they need to function. So, for example, don't request access to a user's contacts or make unnecessary network connections if they're not required. That way, successful attackers will have limited access to information.
Finally, SSL/TLS should be used to send and receive sensitive data, such as tokens or credentials. You should use industry standard encryption (see below) along with appropriate key lengths and signed certificates from a trusted CA provider. Sensitive applications may even want to consider pinning certificates for maximum security.
#5. Data Storage
Most mobile apps store and transmit data to servers regularly. If that data isn't encrypted, it's susceptible to man-in-the-middle attacks during transit to and from the server, as well as theft on the device. Therefore, developers should always ensure that information is encrypted both at rest and in transit across their mobile apps using SSL/TLS.
Key management is equally important to ensure that access credentials are kept safe on the device. For example, you should always store keys in secure containers and never store them locally in an unsecured database. Developers should also use widely accepted cryptographic protocols, such as MD5 and SHA1, and built-in options, such as iOS’ secure storage API.
Finally, you may want to consider implementing layered encryption. If a cybercriminal decrypts one layer, there’s another layer of encryption protecting sensitive information. For example, you may encrypt the data before sending it to the iOS secure storage API, creating two layers of security that will be virtually impossible to penetrate.
The Bottom Line
Mobile apps have become one of the most common ways for users to access information from businesses. When designing for mobile devices, developers should go beyond the user experience and ensure that security protocols are catered toward mobile users in order to minimize the risk of loss and secure their applications.
In addition to the five tips we’ve covered, code quality plays a major role in security. Consider using third-party static analysis tools to identify memory leaks, buffer overflows, and other potential vulnerabilities. You can also hire security companies that specialize in these services to identify potential areas of concern that you can flag for follow-up.
If you need help securing your apps, contact us today to schedule a free consultation to discuss your project.