Most recently, a lot of established companies like Yahoo, Snapchat, Starbucks, Target, Home Depot, etc. have been through a PR disaster. Do you know why? Simply because some attacker out there found a flaw and could exploit it.
The fact is that nobody really thinks about mobile security or data privacy when buying a coffee at Starbucks or while playing Angry Birds. In the rare case that someone even thinks about security, consumers always believe that developers would have taken care of it. They think that the app is from a reputable company and obviously what could possibly go wrong.
This is why it is important for companies and developers to be more proactive in dealing with Security issues early in the Mobile App Development stage. It is important to retain consumer trust if you want to stay in this game for long.
While there are numerous things to look for under security, we've put together a bunch of areas that you can address when building apps.
Top 5 Security Issues in Mobile App Development
1. Insecure Data Storage
In the US, the Starbucks mobile app is one of the most widely used among all the payment mobile. Consumers simply enter their passwords once when activating the payment portion of the app and use it, again and again, to make unlimited purchases without having to re-input their password or username.
Also read: Understanding OWASP Top 10 Mobile: Insecure Data Storage
This might seem great when you talk about convenience. The sad truth is that on 16 January 2014, the Starbucks mobile app, the most used application in the US with 10 million customers, was found to be storing user credentials in plain text format. When CNBC reported that user data had been compromised, 3 million people deleted the app from their mobile devices. In 24 hours, the app fell from 4th highest grossing app to number 26. Starbucks scrambled to release an update later that week, too late.
As a developer, you should focus on designing apps in such a way that critical information such as passwords and credit card numbers do not reside directly on a device. If they do, they must be stored securely. Data should always be stored within an encrypted data section and the app should be marked to disallow backup.
2. SSL Issues
One of the most common issues we've seen in mobile apps is that of SSL. Most of the times, developers do not dive deep into SSL applications and the implementation is often faulty. Often, the SSL certificates are not verified and TrustManager broken. Lack of a proper transport layer protection is an invitation to attackers to exploit your app.
3. Data Leakages
Brands are on a roll to grab personal data. Why shouldn't they, after all being able to personalize marketing offers to consumers is a key digital business goal. But it's essential that this desire to gather personal data doesn't compromise a consumer's privacy.
For instance, media reports recently contended that the NSA had tapped popular smartphone apps like Angry Birds to gather the huge amounts of personal data -- including age, location, gender, and more -- that they collect. This is what's meant by a "leaky" app.
It's not just consumer apps that are at risk. Consider a healthcare mobile app this is used to track how often a patient experiences a particular symptom of a disease. If the app also contained analytics that reported how often that same section of the application was viewed, it would be possible for someone with analytics access to determine the medical condition of a specific user -- and place the provider in violation of HIPAA compliance.
We have scanned many apps that use low-grade analytics providers and advertising APIs. It is important to keep an eye on the what, how, when and where your data move as this is a gold mine of information that hackers actively scout for.
4. Untrusted Inputs
Mobile apps accept data from various sources and the absence of sufficient encryption gives attackers easy access to cookies and environment variables. When security decisions on authentication and authorization are made based on the values of these inputs, attackers can bypass your security.
For example, in 2012 a flaw in Skype security allowed hackers to open the Skype app and dial arbitrary phone numbers using a simple link in the contents of an email. Similarly, a bug in the iPhone 1 OS enabled hackers to listen in on phone conversations when those phones were connected to insecure wireless networks. Any app that has openings to accept data from external sources must include checks to all inputs used to build the app.
All this is complex but not something that doesn't happen frequently. Remember, an easy-to-use app won't win you any points if you put customer or enterprise data at risk.
5. Weak Server-Side Controls
It is not uncommon for businesses to often expose systems while creating their first mobile app. Often, these formerly sheltered systems are not fully vetted against security flaws.
Also read: Understanding OWASP Top 10 Mobile: Weak Server Side Controls
Here's where the issue arises - most back-end APIs assume that the mobile app will be the only thing that will access the servers. However, the servers from where that mobile app is accessing should have security measures in place to prevent unauthorized users from accessing data. It's critical that back-end services be hardened against malicious attackers. This means all APIs should be verified and proper security methods are employed to ensure only authorized personnel to have access.