Mobile app security is a hot topic these days. Unfortunately, it’s for all the wrong reasons. Discerning mobile device owners have long known the dangers of downloading apps from unscrupulous sources, but it’s only relatively recently that the extent of vulnerabilities in mainstream apps have come to light. Research firm Gartner predicts that by 2015, 75% of mobile apps available on the market will fail basic security tests. Perhaps even more worrying, according to security experts MetaIntell, more than 90% of the top 500 Android apps carry a security or privacy risk.
Why is security such a rampant problem in the mobile app industry?
The answer is two-fold. Having mobile app is no longer an option for businesses. It’s a necessity. However, it appears that under pressure to release apps quickly and frequently, development teams are putting security testing on the backburner. At the same time, hackers and other malicious groups are more sophisticated than ever before and are taking advantage of a market flooded with vulnerable applications.
5 Major Mobile App Security Concerns
1. User Authentication
Mobile security 101 starts with robust user authentication. These days, a simple username and password are not enough. Impose minimum requirements for passwords and/or pin numbers with regards to length and complexity. Other prudent features to implement include two-factor authentication, and locking users out following a certain number of failed login attempts.
2. Data Transmission
Sensitive data should never be transmitted in plain text. At minimum, any traffic transmitted to the back-end should be encrypted using SSL.
3. Data Leakage
Data leakage raises both privacy and security concerns, and is one of the most common vulnerabilities found in apps today. In a previous post I talked about how open source libraries used in many popular Android apps sent data such as users’ Android ID, location, and IMEI number to 3rd-party ad networks. As a general rule, pay close attention to any connections an app is making, and select analytics providers and ad networks wisely.
4. Client-Side Data Storage
The architecture of a mobile app itself has an affect on its security. Whenever possible, apps should not store sensitive or private information on the client (i.e. mobile device). In instances when the situation is unavoidable, the data should be encrypted and stored in a protected section or directory; the exact location will be dependent on the OS of the device.
5. Insufficient Server-Side Controls
Mobile users aren’t the only ones putting their data at risk when they install and run applications. Without sufficient server-side controls, organizations leave their systems vulnerable to malicious attacks and security breaches. In order to avoid this, verify API calls made to the back end and carefully guard access through standard security measures and restricted authorization.
Renewed Emphasis on Mobile Security Testing
The staggering statistics on vulnerabilities in mobile applications, most of which were developed with the best of intentions, highlights the need for a renewed emphasis on application security testing. Businesses hoping to benefit from entering the mobile market risk their reputation with apps that aren’t properly designed or tested with security in mind. With a little bit of added effort, a majority of the security pitfalls listed above could be identified through basic security testing – a minimal investment compared to the potential losses resulting from a major security breach.