• Infrastructure
Sales of smartphones totaled 1.2 billion units in 2014—a 28.4% increase from the prior year, and represented two-thirds of the global phone market that year.1  We can all agree that is no real surprise. Ours is a society increasingly on the move. And these devices help to improve our productivity, both personally and professionally, and to satisfy our basic human need for instant gratification.

Mobile devices like smartphones and tablets are tremendous tools, and more companies are developing applications to take advantage of them, especially in the Financial Services, Digital Identity Services, and mHealth (Mobile Health) industries. Mobile devices can now act as your wallet, your identity card, and your driver’s license, and allow you to fill a prescription from the palm of your hand. We’re becoming more and more comfortable with our mobile devices, and we are using them to do our banking, monitor our health and wellness, and purchase products and services at an increasing rate.

Today, there are millions of applications available for mobile device users to download. In fact, there were over 3 million applications available from Google Play (1.6M) and Apple’s App Store (1.5M) alone as of July 2015.2  In addition, there are countless numbers of “non-marketplace” applications that exist and are available for download every day from various “freeware” sites. The list seems endless and new apps are popping up every day. So it’s no surprise that smartphones and tablets are targeted by cyber villains and present a large security risk to end-users and companies.  

Most malicious code for mobile devices is delivered either as Trojans uploaded to mobile application marketplaces posing as legitimate apps or games or as supplementary code added to legitimate applications.3  Either way, attackers have one goal: to dupe unsuspecting users into downloading and installing their malicious code. The fact is most mobile security protection and anti-malware software are limited in what they can detect. Most mobile security software is based on the legacy method of signature-based protection which will not protect the device from unknown threats. And Android devices allow for the installation of non-marketplace apps within the device settings. Hackers are creative and continuously looking for new ways to exploit vulnerabilities, so mobile application developers must be aware of their tactics.

Beware of the vulnerabilities

The “side-loading” of applications on mobile devices is common, and hackers know it. Side-loading refers to the process of bypassing built-in device protections so the user can install non-marketplace applications. Users who “jail-break” or “root” their devices to enable side-loading make them more susceptible to malware.  Apps available outside of known marketplaces are risky to download, because most of the time the user doesn’t know who the author really is. The apps aren’t digitally signed by a reputable store or vendor. They often contain malware or other malicious code and lack the use of encryption or use wide-open privacy permissions.

Another risk to be aware of is side-channel data leakage. Many mobile apps have overreaching permissions and access more data on the device than is necessary.  We all love our social media apps, ride-sharing, retail coupon, auction, and dating sites and use them constantly. People today really enjoy being in proximity to their favorite retail store and getting an alert with a coupon code or getting automatically signed into their fitness class just by walking in the front door of the gym.  We also enjoy the fact we can find more friends to share information with just by letting the app access our contacts.  

To have this type of convenience, the apps must access several areas of the user’s phone. Typically, the app will prompt the user for permission during the installation process. Most people today just click “ok” because they want the app and the service it provides. But when they allow access, the personal information is also read and stored by the app vendor on their servers in their data center. Now the user’s data is somewhere that they can’t control and could create a problem if the app vendor’s security is breached.

A malicious application can use the same technique for much more nefarious reasons. By requesting access to other parts of a user’s phone, a hacker can steal personal information, if the data isn’t encrypted. If the transport layer isn’t protected, passwords can be stolen and used to gain access to corporate systems or personal bank accounts. Similarly, account and credit card numbers can be siphoned off and used for identity theft or fraudulent purchases. For example, if the login process isn’t encrypted, the password is sent in clear text. If the data transmission isn’t using SSL, the web session is susceptible to being sniffed. 

Adding to the risk is the fact that too many companies aren’t investing enough time or money for mobile application security. In fact, 65% of people surveyed by the Ponemon Institute said that security of mobile applications is sometimes put at risk because of the “rush” to meet a customer need or market opportunity.4 Business pressures are real, but there must be a balance between speed of deployment and sound application development processes. The app on the mobile device is just like any other app connecting to server-side content and downloading data locally. And it’s susceptible to the same type of attacks.  

Follow secure coding guidelines

To guard against security risks, developers must follow secure coding practices and test their applications thoroughly. Too often testing is neglected. According to the same Ponemon Institute study, 55% of respondents said they either don’t test mobile apps or were unsure.5 The number is just too high.  

Developers should follow the secure coding guidelines published by the Open Web Application Security Project (OWASP).6 All guidelines are important; however, specific emphasis should be given to the following:

Authentication and Password Management: Securely handling passwords is critical. If they’re not, hackers can do more than just access the mobile device. They can gain access to corporate networks and breach corporate systems. Controls must be used to verify the identity of users and other entities that are interacting with the device software and applications must manage passwords effectively.

Communication Security: The transport layer is vital. If passwords or other sensitive information passes in clear text, it can be stolen. Controls must be used to ensure information is both sent and received in a secure manner, utilizing encryption from end-to-end.

Data Storage and Protection: Just like data in-motion, data stored on the device is susceptible to being stolen, especially if the device is lost or compromised. Controls must be used to ensure information is stored and handled securely. 

Session Management: Ensure sessions are managed properly. Check at the start of each activity/screen to see if the user is in a logged in state. If not, switch to the login state. When a session is timed out, the application should discard and clear all memory associated with the user data and any keys used to decrypt the data.

Use of Third-Party Libraries/Code: Ensure the application integrates security with third-party code. You need to vet and verify the security and authenticity of all third-party code libraries used in your mobile application. Ensure the third party is a reliable source and the code will continue to be supported in the future with upgrades as necessary. Test the third-party code to ensure it does not contain a back-door that could be exploited in the future.

Take time to do it right

Without question, smartphones and tablets have changed the way we live and work. We love it and are thrilled. But while mobile devices make performing daily tasks simple and convenient, they also present an attack surface for hackers to exploit.

Developers must follow secure coding practices when developing mobile applications and can’t neglect testing. They must forensically analyze how the app interacts with the device and monitor the application behavior. Is the transport layer encrypted? Is the data at rest on the phone encrypted? What data is being stored on the phone and is it necessary? Are security policies being followed?  

Protecting mobile applications against threats posed by cyber theft, malware, and viruses requires balancing the need to deploy applications quickly with the rigor and discipline required by secure coding and testing best practices for application development.

Comments

Load more comments
Thank you for the comment! Your comment must be approved first
* Required
comment-avatar

Ready To Begin? Contact Us Today.

Request A Presentation