Here is our list of Mobile Apps security considerations to help you stay informed.
1) Sensitive Data Storage
Instead of using plain text to save sensitive data, using a cryptographically secure hashing algorithm like SHA256 ensures enhanced security. A time-based key derivation function like PBKDF2 or scrypt is a good choice as well. Using iOS’s Keychain API instead of NS User Default or Shared Preferences protects sensitive data better. Also, plan to encrypt important files that are stored locally on any device.
2) Broken Cryptography
Using modern algorithms recognized for being strong by the security community and using advanced encryption APIs within mobile platforms like AES with a 256-bit key for encryption and SHA-256 for hashing can be of help. Investing in manual analysis like penetration testing and threat modeling is a safe bet while dealing with cryptography that you are not sure about.
3) Credentials Exposed in Log
This obvious point is often ignored. Never log sensitive data to the system/device log and always disable all the log statements in release mode.
4) Secrets Hardcoded in Source Code
Always encrypt passwords, secret keys, API keys using ex SHA256, AES etc. and never use plain text to write these sensitive information in the source code.
5) Send and Receive Password in Plain Text in API
Encrypting passwords while sending or receiving via API request and using HTTP headers instead of URL parameters will reduce risk to a great extent.
Simple but important, IPA or APK should always be distributed in release mode.
7) Authentication and Authorization
Authentication and Authorization activities should be carried out at the backend. To identify a mobile app user, a sufficiently long cryptographically random session token should be assigned after they log-in to the system. The system should only accept requests with a valid session token and the sessions should expire after a period of inactivity and should be invalidated upon logout.
8) Requests Sent Over HTTP
Do not cache sensitive data response as attackers may easily exploit application’s network traffic. Getting information directly from the source and configuring web server to support HTTPS ascertains security.
9) Input Validation and Parameters
Appropriate input validation should happen both in the Mobile App and on the server. As hackers can always modify request and unleash injection attacks, validation of the parameters sent to the backend is vital.
10) Check Rooted or Jailbroken device
Applications that handle sensitive data should check and avoid any jailbroken/rooted devices.
11) Proper validation with URL Scheme
Prompts should be added before using URL schemes for critical tasks. Any application can register for a URL scheme. For e.g., the Skype app can register for the URL scheme Skype:// and any application can call this URL with a specific parameter. Earlier, Skype had a vulnerability where any user was able to make a call to anyone by using the URL-Skype://123123123?call
As Skype didn’t prompt users before making a call, the calls were directly sent. It would have been better if the app prompted users before making the call. The input to the URL scheme should also be validated.
12) Weak server-side controls
While creating mobile apps, businesses often expose systems that were never accessible from outside of their networks. As most of these sheltered systems lack proper coverage against security threats, issues seep into them easily. Servers that apps access should have security measures in place to keep away unauthorized users. APIs should be verified and proper security methods need to be employed to ensure only authorized access to guard against malicious attacks.
13) Clear pasteboard while exiting App
To ensure the security of user copied information in clipboard/pasteboard, it needs to be cleared when the application enters background.
iOS usually cache all texts entered in text fields, that lacks secure tag. Therefore disabling autocorrection and enabling other protections for such text fields is vital.
15) Data clean-up
Provision to clean data in users’ device from the server without the need of polling offers safety against sensitive data.
As you can see, there is a lot to think about around security when planning a mobile strategy for your organization. We hope the above list is beneficial.