By Anas Baig.
Hundreds of thousands of mobile applications are downloaded by users on the Internet every day. Likewise, thousands of applications hit the app stores on a daily basis.
The extreme use of mobile applications shows how deeply we are engaged in our "connected" life than ever before. Not only mobile devices have invaded our households, but these devices are raiding the corporate sector with equal intensity. In fact, according to a study conducted by Tech Pro Research in 2014, 74% of organizations reported to be embracing Bring Your Own Device (BYOD).
However, the ever-increasing use of mobile devices and now the raising popularity of IoT have attracted new kinds of dangers with it—the cyber threats!
Mobile App Cyber Security Incidents
It would not be unfair to deem mobile devices as the new hunting ground for digital anarchists and villains.
Out of all things, mobile applications are the first target of hackers and data snoopers. All the new kinds of malware, which are being released online, are mostly targeted at mobile applications.
Take, for instance, the malware that hit the popular Australian banking apps. The malware can not only imitate the screen of a banking app to log the user's sensitive data, but it can also bypass the 2-factor authentication security layer.
Recently, a new malware, named LeakerLocker, threatened users to send their photos and other sensitive information to their contacts unless they pay the demanded ransom. Thousands of such malware attacks are reported from different regions.
Cybersecurity breaches aren't going to come to a halt anytime soon. However, the attacks can be prevented by some proactive measures. Who's going to take those measures? The app developers!
Developers are the first people to interact with mobile applications at an intimate level. Hence, if they are proactive from early stages of development, it can help users avoid cyberattacks later. Following are cybersecurity problems and some tips and hints to make your applications more secure.
1. Vulnerable Data Storage
It is a no-brainer that a hacker would first attack the data storage of a mobile through an infected application. Therefore, leaving this important spot unattended. In other words, an unsecured application would be an invitation for the hackers to "come and hack my device."
The popular example here of it is the 2014 data breach incident of the Starbucks' app. The hacker compromised the device via the app and stole the data that was left unprotected.
To prevent such data breaches, developers should either move the storage options to a secure cloud network, or use encryption.
2. Little to No Encryption
Talking about encryption, developers seem to be a bit complacent when it comes to using highest level of security for the apps. Needless to say, users save a great deal of sensitive information on their smartphones; this information is not only easier to crack but also very accessible. It is not only the data threatened by exploits but also the mode of communication that chat applications offer. According to a 2016 study, only a handful of chat applications use end-to-end encryption, whereas the rest either don't use any encryption or use weak encryption.
Developers should conduct a thorough analysis of encryption while creating an app and ensure they cover all the security loopholes in their creation.
3. Delayed Log-out Sessions
An incomplete logout session is prone to attract security breaches that can result in data theft and other types of cyberattacks. Incomplete log-out sessions mostly occur when an account is being logged-out from a user's account but remains active on the server.
Such security issues can be resolved by fixing the errors that cause delays in log-out sessions.
4. Reverse Engineering
Reverse engineering is one of the most common yet effective ways to hack an application. Through reverse engineering, hackers can dismantle your application, code by code, and reverse engineer it as per their needs. Ultimately, they would use the modified version of the app to hack into actual version used on other users' devices. The only way developers can overcome this security issue is by building the application in a highly secured environment, and keep the access to a minimum.
5. Insecure Entry Points
Some applications are built in a manner that developers have to allow data inputs from external sources. Attackers use this opportunity to inject malicious SQL code into the app. Hackers easily can bypass it because of lack of a secure authentication process. One such example of intrusion is the iPhone 1 OS bug that allowed hackers to tap the conversation of the users. To ensure that there is no unauthorized entry into the app, developers should create a validation system.
6. Delayed Security Patches
Creating an app and launching it into the market doesn't mean that the developer's job is finished. On the contrary, the real development starts after the app has launched. Developers get to come across the security vulnerabilities and other sorts of bugs that are detrimental to user experience.
Regardless, hackers are getting more efficient in finding security holes and exploiting them. To make their job difficult, developers should conduct regular analysis of their app and release security patches accordingly.
7. Data Cache Vulnerability
Caching is an old concept of speeding up processes, be it on a computer or an application. However, when it comes to mobile applications, the cached data in smartphones is usually stored for long periods of time. Due to the prolonged caching, the app or device becomes more vulnerable to security breaches. One effective way data a caching vulnerability issue can be fixed is by designing the cache in a way that the cached data is deleted on every device reboot.
8. Jailbroken or Rooted Devices Vulnerability
Thousands of users opt for jailbreaking or rooting when it comes to installing and using third-party applications on their device. However, most third-party applications that require jailbreaking often come with malicious code already attached to it. Ultimately, the malware not only infects the main device (patient zero) but also other devices on the same network. Developers should fix this issue by making the applications "risk aware." The app should be programmed in a way that it detects a jailbroken device and restricts users from executing sensitive actions such as making transactions or accessing enterprises' sensitive data.
9. Weak Cryptography
It is observed that developers usually go for the SHA1 and MD5 encryption algorithm which are actually inefficient when it comes to advanced security needs. With weak encryption, it gets easier for hackers to break into applications. Plus, if the device is compromised—jailbroken—the result in obvious.
Developers should implement highest-level encryption algorithms, like AES-256 bit encryption or SHA-256, when building their app to ensure better security.
10. Unnecessary Permission Requests
Many applications require unnecessary permissions to access other features of the device. These privileges give more opportunity to hackers to get their hands on more sensitive details. Developers should limit the permissions to only the components that are highly needed.
The development strategies for ensuring the security of your app listed here are just the tip of the iceberg. With trial and error, you may come across more sensitive points that may need your immediate attention.
If you know any more security tips that we forget to mention here, do share with us in the comments below.
About the Author
|Anas Baig is a Cybersecurity Journalist by profession with a profound interest in online privacy and security, and IoT. To know more about him, you can follow him on Twitter @anasbaigdm, or email him directly.|