Reinforcing the Security of Our Mobile Applications

No One at Fault, Yet Security at Stake

Imagine the life of a ‘mobile smart’ average person anywhere in the world. He gets up in the morning and prepares to go to the office. On the way, he stops at Starbucks or Tim Hortons and orders his coffee using an app on his smartphone. Similarly, he makes an online payment for the coffee using another financial app. As he continues, he comes to a halt at a traffic light, where he spends his leisure time scrolling through the reels on Instagram or reading the daily news on another app.

The above pen picture is an excellent representation of our daily lives, in which smartphone apps play an important role. However, as they say, safety is a rare business. Here are some examples of sensitive information being exposed from popular apps we use on a regular basis. However, more stringent security controls during app development and user practices could have prevented such information leaks.

• In 2022, a security researcher discovered that the Starbucks app stored sensitive customer data, including GPS locations, in plain text, making it vulnerable to unauthorized access. This incident highlighted the vulnerabilities associated with insecure data storage, a common issue in mobile applications (link).
• TikTok too, came under fire in 2022 after researchers discovered a vulnerability that could allow hackers to manipulate user data and upload unauthorized videos. This flaw was caused due to insecure data transmission and inadequate authentication checks, which could have been prevented with stronger encryption and proper access controls. (Tiktok Breach)
• In 2020, due to a fault in Instagram’s password reset, email addresses and phone numbers were exposed. This could increase the risk of phishing and social engineering attacks.

Why Mobile App Security Requires Special Attention Compared to Web Applications?

Mobile app security encompasses the measures and practices designed to safeguard mobile applications against security threats, vulnerabilities, and unauthorized access. This involves securing the app’s code, data, network interactions, and backend services to ensure their confidentiality, integrity, and availability of both the app and its data.

• Mobile devices are available in various models with different operating systems and hardware configurations, creating a broad attack surface.
• Lost or stolen mobile devices increase the risk of unauthorized physical access to the device and its data.
• Mobile apps frequently operate over public or untrusted networks, increasing the risk of network-based attacks such as man-in-the-middle (MitM) attacks.
• Mobile devices often store sensitive data locally, making it more vulnerable to local attacks and data breaches.
• Installing apps from untrusted sources and granting excessive permissions increase the risk of security breaches.

Common Drawbacks of ‘Not Having’ Security Measures in Mobile Apps

• Unauthorized access to sensitive user data can lead to significant privacy violations and financial losses.
• Inadequate security can result in unauthorized transactions, financial fraud, and revenue losses.
• Security incidents can harm the reputation of a company and impact user trust.
• Non-compliance with security regulations and standards can cause legal penalties.
• Poor security practices can lead to apps being compromised with malware, affecting both users and the app ecosystem.
• Inadequate security can result in the theft of proprietary code and intellectual property, causing a competitive disadvantage.

Types of Attacks

• Man in the Middle attacks
• Data leaks
• Authentication vulnerabilities
• Malware Attacks
• Security attacks due to third-party libraries
• Malware attacks
• Reverse Engineering

How Developers Combat Mobile App Security Issues?

• Secure Coding Practices
  • Following best practices for secure coding, including input validation, output encoding, and proper error handling.
  • Thorough inspection of third-party libraries for data leaks

• Data Encryption
  • Encryption of sensitive data both at rest and in transit using strong encryption algorithms (e.g. CommonCrypto, CryptoKit, AES for iOS and Jetpack Security Crypto, Bouncy Castle for Android).
  • Use of platform-specific secure storage solutions such as iOS Keychain and Android Keystore, to save sensitive information like credentials.

• Authentication and Authorization
  • Implementation of strong authentication mechanisms, including multi-factor authentication (MFA)
  • Ensuring proper authorization checks to restrict access to sensitive functionality and data

• Regular Updates and Patch Management
  • Regular updates of the app and its dependencies to patch known vulnerabilities
  • Monitoring for security issues and prompt release of patches

• Secure Network Communication
  • Use of HTTPS and secure communication protocols to protect data in transit
  • Implementation of certificate pinning and public key pinning to prevent MitM attacks

• App Hardening
  • Use of code obfuscation and minification to protect the app’s source code from reverse engineering (Examples: ProGuard, R8, DexGuard for Android, LLVM Obfuscator, iXGuard for iOS)
  • Implementation of runtime protection techniques, such as tamper detection and anti-debugging mechanisms
  • Use cryptographic hash functions like SHA-256, use isDebuggerConnected in Android): Check if a debugger is connected to the app using the isDebuggerConnected()method.
  • ptrace (iOS and Android): Use the ptrace system call to prevent other processes from attaching to the app while debugging.

• Security Testing
  • Conducting regular security testing, including static analysis, dynamic analysis, and penetration testing.
  • Use of automated tools and manual reviews to identify and fix security vulnerabilities (like SonarQube and Checkmarx).

• User Education
  • Educating users on the importance of installing apps from trusted sources and allowing appropriate permissions.
  • Providing guidelines on recognizing phishing attempts and securing their devices.
  • Creating a section in the app with safety guidelines for using the apps to avoid security concerns.