Mobile App Security: Part 1
Mobile applications contain a lot of sensitive information and should be secured against unauthorized usage to protect owners’ assets. Any device could be stolen or lost—leaving unauthorized parties easy access to financial information (through banking apps, crypto wallets, etc.) or other sensitive information (photos, messages, social media apps, parking apps, etc.). The consequences have potential to carry serious weight. For this reason, mobile application security is paramount to protecting user data and privacy. In part 1 of this blog, we’ll discuss best practices users may follow to ensure their information, and peace of mind, are safe.
Use platform properly
Both Android and iOS have development guidelines for secure, proper usage of the system API and guidelines for implementing mobile security. Developers should follow these guidelines, but also consider best security practices and common sense.
- Keychain/keystore proper usage: These should be used for working with the cryptographic function on a device, making it harder or impossible to extract information.
- IPC: Inter Process Communication (IPC) mechanisms are disabled, unless explicitly required, and are not used to import/export sensitive information.
- Runtime permission: Only necessary permissions should be requested, and the user should see an explicit message describing exactly what information is needed, why and how long it would be stored.
- All input information is validated and sanitized (IPC, user input and other sources).
Secure data storage
Any mobile device could get lost, get malware or be stolen and susceptible to an attacker gaining physical access to it. In case of these situations, applications should protect valuable assets and make it more difficult to extract them in a case of unauthorized access. Keep in mind:
- Sensitive information should be stored in correct places. Private spaces for an application are typically recommended by its developer guidelines. This place should be non-publicly accessible
- Sensitive information should not be shared (third-party libraries, IPC, backup, logs, etc.)
Network communication being sent or received from an app can also be vulnerable. Secure communication between the application and remote endpoint ensures integrity, security and confidentiality. Here’s one approach:
- Applications should use an encrypted communication channel to a remote endpoint with proper configuration
- Consider using certificate pinning for improved security
Use proper cryptography
Cryptography is related to data storage and network communication but not limited to it. Modern applications use cryptography in a variety of places, such as hash fingerprints or generating random numbers. In case of improper usage, things can go terribly wrong and related usage can be impacted. We recommend:
- Using proven cryptography libraries
- Implementing and configuring cryptography, according to security guidelines
Additional information and testing
For additional information related to security testing, development best practices or deep technical details, consider looking to OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG). They can be used as guidance and metrics for checking if a mobile application is secure.
The next blog in this series covers the topic of authentication. Stay tuned.