When you’re running a business, it’s important for you to have a great reach to the people using your services. The internet is the easiest way to reach your customers. When the internet era began, people started using web applications as a way to reach a larger audience. And that worked like a charm! Then with the advent of smartphones, people started using mobile applications in addition to web applications. Due to this, companies started building mobile applications for their business.
When you’re getting a mobile application built for your business, security is one of the most important things to take care of. And that’s what I’ll be talking about in this post. I’ll tell you what mobile app security is, why you need it, and security considerations for your mobile application.
What is mobile app security?
Security, in general, is about taking actions to stay safe and protected. Because we’re talking about digital applications, some of the main layers to protect are infrastructure, network, and application.
Who do you have to stay safe from? There are two answers to this. One is that there are people with bad intent who want to misuse the application. Second is staying safe from accidents. Now let me explain what’s actually meant by “staying secure.”
Cybersecurity stands on three main pillars: confidentiality, integrity, and availability. This is also known as the CIA triad. Confidentiality is when you make sure that the information is private and is only accessible by authorized people. Integrity is making sure that the information isn’t changed or modified by unauthorized personnel or processes. Availability is making sure that your application or service is available to the users when it’s supposed to be.
When you build your application to be confidential, integrous, and available and confirm that these pillars can’t be broken, that’s when you can say that your application is secure. To understand how to secure your application, you first need to understand the threats to your application.
Mobile application threats
In this section, I’ll address some of the most common threats to mobile applications.
Most mobile applications work with a user account. If your application isn’t secure, attackers can get unauthorized access to your application and its data. Imagine this incident happening with a banking application. If an attacker gets unauthorized access to your banking application, they might get all your bank account details and might even be able to transfer funds. Banking applications aren’t the only kind of application with a risk of unauthorized access of course. Any application with sensitive data, monetary functions, or authenticated users is a potential victim.
Your customers trust you. It’s important for you to keep that trust. But there are hackers who want to steal sensitive data and misuse them. If your application doesn’t store data securely, then hackers might get access to that data. Data stealth is when hackers get access to your data and steal them. They might do this to take advantage of the data (for example, by stealing your bank credentials to transfer money to their account), or they might do it just for fun.
Malware is a malicious piece of code. If your application is attacked by malware, then it might damage the application. The damage can be the destruction of data or making the application malfunction. Different types of malware are viruses, Trojans, worms, etc.
A recent malware that made it into the spotlight was ransomware. Ransomware is a malware that encrypts all your data. In order to get your data back, you’ll have to pay a ransom to the hackers.
Code tampering is the type of threat where the attacker modifies the code of the application to make it do something it wasn’t originally designed to do. A hacker can modify the application and send the modified application to another user. The user then uses a malicious application thinking that it’s a trusted application. This is a critical threat.
For example, consider a stock brokerage firm. You buy and sell stocks through your brokerage application and pay the broker a commission. In this case, a hacker can modify the brokerage application such that the commission is being transferred to their account instead of the broker’s account.
Malicious injections are the type of threat where the hacker gives malicious inputs into the application. The result of this can range from stealing data to the malfunction and destruction of the application and also the application’s server. To learn more about such threats and vulnerabilities, you can look at OWASP’s Top 10 list.
Now that you know the threats out there and why you should secure your mobile application, let me tell you about how you can do it.
Top 5 security considerations for mobile applications
The approach for security for each mobile application is mostly dependent on the use case. Here I’m going to talk about the general security concepts that you should consider for your mobile application.
Cryptography is a wide domain, so I won’t get into the depth of it. To explain in general terms, cryptography is the method used to convert human-readable data into gibberish data, aka ciphertext. There are two main processes in cryptography: encryption and decryption.
Encryption is a process where you convert plaintext into ciphertext.
Decryption is a process where you convert the ciphertext back into plaintext.
A very common example of cryptography in applications is for storing passwords. There are many applications that ask you to log in before using them. When you enter the password, the application checks if the password is right or wrong. For security purposes, these passwords aren’t stored as plaintext. They’re encrypted and then stored.
Another example would be applications that employ protocols that use cryptography for communication. In this case, even if the hacker intercepts the communication, they wouldn’t understand the information.
You should use cryptography widely, but ensure that you use accepted libraries and don’t try to create your own.
Authentication and authorization
Authentication is the process of verifying if the user is legit or not. Anybody can try to access your application or the features of your application. You have to make sure that you allow only the legit person to access it. For that, you use authentication. Authentication can be as simple as asking for a password or a security code. The level of authentication and approach depends on how secure you want your application to be. Applications that need high security use OTPs, biometrics, and multifactor authentication.
Authorization is giving permission to the user to do something. There can be different types of people accessing your application. For simplicity, let’s consider two roles: admins and normal users. The admins would need access to most of the application, whereas the normal users need to have access to only a limited part of the application. One of the most used practices for authorization is the principle of least privilege.
Security as code
Security as code is a trending approach being used by a lot of developers to increase the security of the application. This approach aims to implement security through the code of the application as part of the development cycle. You also have to take special measures while using libraries. If there are security loopholes in the library you’re using, then attackers might take advantage of them. If you have no other option than to use such libraries, you have to take measures to prevent attacks such as restricting the access of code to sensitive data and processes.
Don’t trust the end user
Like I mentioned in one of the threats above, attackers can inject malicious code into your application. This can affect your application and, in some cases, the server as well. The best way to design your application to avoid problems by external threats is to not trust any user. You can’t differentiate whether the person using your application has good or bad intent. So you have to add security to your application considering that every user can be an attacker.
Code tampering prevention
Attackers may modify the code to make it do something it’s not originally designed to do. To avoid this, you have to make sure that nobody is able to tamper with the code. You can add functions to check whether the code is changed or not at runtime. You can also add functions to reset the code or to report any code tampering.
Where to start and what to do
No matter how many layers of security you add, you can never guarantee that your application is 100% secure. But you should always do the best you can. To start off with, you can follow the above-mentioned security practices and ensure that you’re able to monitor and protect your apps in production.
This post was written by Omkar Hiremath. Omkar uses his BE in computer science to share theoretical and demo-based learning on various areas of technology, like ethical hacking, Python, blockchain, and Hadoop.
Banner icon from Mobile Security by shashank singh from the Noun Project