By Andriy Lysyuk, Head of Cyber Security at Ciklum
Smartphones have made our world more mobile, and there’s no sign that this phenomenon is slowing down.
This radical transformation has changed the way we communicate with one another, stay informed and conduct business. Many people opt to use smartphones as their primary device to help manage their life.
One of the best resources for identifying mobile security threats is The Open Web Application Security Project (OWASP), especially its Mobile chapter. OWASP is a not-for-profit organization dedicated to improving software security. Supported by an ever-growing community of individuals, corporations, universities and government agencies, OWASP releases software and documentation with a unique focus on making application security transparent and actionable. Organizations that have cited OWASP’s researches include the National Cybersecurity Agency of France, Centre for the Protection of National Infrastructure of Great Britain, and the Defense Information Systems Agency of the United States.
Periodically, OWASP releases a collection of the most dangerous web application security flaws known as the OWASP Top 10. However, Top10 document is the description of vulnerabilities only at the top of importance rating, in addition, OWASP releases more detailed materials called Testing Guides which describe approaches to the discovery of flaws that become security issues later.
For mobile app developers, it’s a great resource to become aware of some of the biggest possible flaws in application security. Drawing from the OWASP Top 10, here are five top tips companies should use when testing mobile applications for security:
Identify leaky development
The Android and iOS operating systems are built with security in mind, but that doesn’t automatically make the applications developed for those platforms secure. Ultimately, application security depends on a developer’s skill and attention to following best security practices. But the pressures of application development, such as speed to market or developing with a new programming language, can cause developers to overlook critical security issues.
The proliferation of third-party frameworks, APIs or cross-platform development tools can aggrevate these problems. Software that reduces weeks of development time might be great for quickly releasing a new version of an application, but it also induces developers to assume that these tools are completely secure. For an application communicating directly with a third-party server, these vulnerabilities can be seen, for example, through default administrative interfaces or default content.
When testing your mobile app, ensure you’ve looked beyond the operating system itself and checked for vulnerabilities in your third-party extensions, development tools and web-based interfaces.
Plug leaky data
With the European Union’s recent implementation of the General Data Protection Regulation (GDPR), data security isn’t just crucial for user information — it’s also the law. One of the key principles of the GDPR is data protection by design and default, meaning applications must be built from the ground up with data security in mind.
Unfortunately, insecure data storage can lead to unintended data leakage, posing a great risk to data security. Data leakage can result from vulnerabilities in the operating system, development frameworks or hardware, while insecure data can live in removable storage, cloud storage and any number of logs and databases. An exploited vulnerability could allow attacker to find private user data created by an app stored in a local database file.
Make sure your mobile app testing takes into account how the OS, APIs and other third-party frameworks collects, cache, log, process and store your application’s data.
Stop leaky communication
The beauty of mobile devices is the convenience of being able to communicate with people, products and services all around the globe. For this to even be possible, data has to be transmitted from one point to another, which can happen in any number of ways: over Wi-Fi, Bluetooth, a cellular network, an NFC chip or a physical port.
The trouble with mobile-to-mobile communications or app-to-server communications is that an insecure connection can lead to data leakage. Whether it’s eavesdropping or a man-in-the-middle attack, intercepted communications pose incredible security risks for app users.
Avoid insecure communication by operating from the assumption that your network is already insecure. Test to make sure you’re using modern SSL/TLS protocols and trusted certificates, and ensure data isn’t being sent through alternate channels like push notifications or SMS.
Prevent leaky authentication
Unlike web applications, mobile applications are not expected to be online all the time due to the unpredictability of wireless connections. This means that for carrying out security authentication, mobile apps may end up storing sensitive login credentials on the local device in order to transmit them to a server as soon as a network connection is present. Local user authentication can lead to vulnerabilities that exploit system weaknesses to share private information with an attacker.
If your mobile app requires security authentication, make sure to test for weaknesses in the authentication process. Mobile apps should be just as strong as their desktop or web equivalent and should not be able to be authenticated more easily than a web browser. One best practice is to assume client-side authentication can be exploited, so rely on server-side authentication whenever possible.
Biometric authentication method is gaining traction as it makes people feel much more secure than while typing the password.
Avoid leaky functionality
Throughout the development process, hidden dashboards or special environments may be built into an app in order for developers to continue building their apps. These environments may only exist for the sole purpose of testing and are not intended to be released to the public. However, this code needs to live somewhere — and it often resides in the app until development nears a conclusion.
Before deploying your mobile app, test to ensure there are no hidden switches or configuration settings, excess test code has been removed from the product and API endpoints are properly documented and publicly available.