On a regular basis I hear a ton of “mobile app ideas”, but lately I have met a lot more people that are learning to code in their spare time in hope of developing their initial apps on their own. Most of these folks have a background in the business area or problem set that they are solving, but they don’t have a deep understanding around mobile information security.
Not all applications have the same security needs. If you are developing a calculator, alarm clock or some other utilitarian app that does not store and/or transmit any user information then there are few security concerns. But if your app accesses a users’ social network information, stores device information, authenticates against a server, or takes payment in any shape or form; you need to understand how to protect your app and your users’ data against security breaches.
If you operate under the assumption that your app will be installed on millions of users’ mobile devices, protecting against data breaches and enforcing security should be one of your highest priorities. There is no silver bullet for mobile app security but there are a few things you can implement to keep your users safe. The following are a few of the key areas that I typically recommend you consider when securing your mobile apps:
Understand the Data
Only Access What you Need.
It’s very easy to include access to everything on a users mobile Device within the SDK and ask your user for access to every piece of device information (most people still click yes when they see these prompts). But is this really necessary? If so, take the time to understand what you are actually collecting and how it is stored.
Unless required, do not log or store user’s personal information. While personal data can be useful for certain apps, it is seldom necessary. By not persisting this data you prevent liability to many privacy and security issues.
Examples of personal user data that you need to protect include:
Address Book contacts
There is a good article on Juniper.net by Daniel Hoffman about how mobile apps expose personal information. Would your next app fall into one of the categories mentioned by Daniel?
Be Careful with Credentials
If your mobile app requires user credentials then do not undermine the importance of a password strategy. Try to have a password policy that matches the security needs of the data that you are collecting or providing to users. Apps that store sensitive data would have a password requirement much stronger than a game that stores your high scores. Remember there is always a tradeoff between application security vs. usability of your app. If the app requires a strong password and a user is constantly asked for credentials and/or there is a complex process for retrieving a lost password, that opens the door for app abandonment.
There are a few alternatives to help keep your app secure and easily accessible for the user.
Many companies provide Oauth access (e.g. Facebook, Twitter, Google, Amazon). Leverage the authentication infrastructure of a larger more established company.
Email a login link to a user. Users never need to remember their password but will need to leave your app for brief moment.
Integration with AgileBits 1 Password.
Deep mobile OS application integration (Facebook, Twitter or Google). For example, Facebook Login allows users to easily sign to your app. If they have already signed in on the Facebook app, they do not have to re-enter their credentials.
Also, never store passwords in plaintext. There are plenty of examples (see below) on how to use an iterated cryptographic hash function for password storage. If a user needs to re-authenticate then the application can verify against the hash value and the user could also reset their password if they forget. With that in place, passwords aren’t left exposed in case of a server data breach.
Tuts+ has a good article Understanding Hash Functions and Keeping Passwords Safe. Although, the article’s example is in PHP it still gives a great overview of how to implement hash functions.
Important tip – Guard Against Brute Force Attacks.
Attackers use brute force techniques that leverage wordlists and rulesets to intelligently and automatically guess user passwords. Although brute force attacks are easy to detect, they are not so easy to prevent. Below are a few techniques to consider:
Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.
Prompt the user to answer a secret question after a certain number of failed logins
Use a CAPTCHA to prevent automated attacks.
For advance users, allow login only from certain IP addresses.
If you do have to lock an account due to a perceived security threat, then provide the user with a painless password reset process.
Encrypt Local Data
For some applications storing or caching data locally on the device is a necessity. If you must store data locally on the device then consider the fact that this data could be compromised. If your app handles sensitive data then implement encryption. While not bullet proof, it can add significant complexity to an attack.
Apple with iOS does a good job of providing security options for developers directly from iOS. Here is Apple’s documentation with Secuity. Also, here is a tutorial from Tuts+ and an overview on how to implement data encryption on iOS.
With the release of Android 4.4 (KitKat) there were were a number of security enhancements that would help developers protect local data.
ECDSA Provider support in AndroidKeyStore
Android sandbox reinforced with SELinux.
But remember that the external storage (SD Card) has little to no permissions and that any app has read access and can read all files from the SD Card. For some examples on how to encrypt local data within your Android app take a look at Christopher Bird’s tutorial.
Transmit with a Secure Protocol
There is a high probability that your users could have internet access in a public WiFi zone (such as a coffee shops, airports, etc.). Unsecured networks such as these leave insecure data transmission vulnerable to session hijacking. Implementing a transport layer encryption (SSL/HTTP) is a must to keep your users’ communication safe. A digital certificate from a well-respected vendor is inexpensive and will help win your customer’s trust. Security threats are ever evolving so remember to stay abreast of the latest and greatest security features.
Apple and Google both have in depth documentation on transmitting data securely. Most public APIs provided by companies such as Twitter, Facebook, Amazon, etc use a secure connection for their API endpoints.
Follow Standards and Regulations
I am not a lawyer, but I hear from my lawyer friends, that not adhering to industry and government standards can cost you a big chunk of change if something goes wrong. Ensure you are complying with relevant rules and regulations if your apps deals with kids’ data, health data or financial data.
There are companies that provide help in the area of server (cloud) security for certain industries. Firehost is a great example of a company that is providing security as a service. If your app requires storing regulated data on a server then a third party vendor is a quick solution to a difficult task.
Below are a few links for more information concerning privacy laws, acts and standards.
Secure your Server
Lastly, if you have an end to end solution with a server side component, make sure that the server, the stored data, and the services are secure. I briefly touched on a few points for mobile app security, but do not forget the importances of a more secure backend. Whenever possible, avoid re-inventing the wheel, there are a lot of tools and frameworks that can help protect your backend from threats such as cross-site scripting and injection attacks.
A few good tips for securing your web server:
Reduce verbose errors. Verbose errors can leak critical information about your web servers architecture and code.
Change default directories. Attackers may use common logins, admin interfaces and simple name schemes to access server directories.
Guard Against Brute Force Attacks. Attackers could use automated tools that intelligently guess user passwords .
Mobile app security is a extensive and iterative process. Thinking about security early in the app development process can save a lot of resources in terms of time, man hours, and money. New vulnerabilities are constantly arising so stay on top of security updates for software libraries and new techniques for keep your app safe.
by Richard Makerson
What other security tips would you add?