XpertSolvers: Your Partner in Building Innovative Software Solutions
Mobile App Security - Best Practices
1. Security Best Practices
MOBILE APPS
<CodeRed> Talks
Kadhambari Anbalagan, Software Architect
5:00pm Monday, 8 April, 2017
RedBlackTree Terrace
2. What do the statistics say?
Popular Free App Findings
Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking.
Top Paid Apps Findings
Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been
subjected to hacking.
<CodeRed> Talks
5. Improper Platform Usage
Misuse of platform feature or lack of platform security controls for the android or IOS operating
system
What can happen?
1. Improper implementation of android Intents - Data leakage, restricted functions being called and
program flow being manipulated
2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised
and decrypted
Best Practices
Know your platform well
Use intents carefully
Use the keychain carefully
<CodeRed> Talks
6. Insecure Data
Vulnerabilities that leak personal information and provide access to hackers
Report By NowSecure:
1 in 10 Mobile app leak private, sensitive data like email, username or password.
Best Practices
• When possible, do not store/cache data
• Implement secure data storage
• Securely store data only in RAM
• Encryption using verified third party libraries
<CodeRed> Talks
7. Insecure Communication
Communication being sent in clear text as well as other insecure methods.
Real World Example:
Best Practices
• Implement secure transmission of sensitive data
• Use SSL/TLS or for increased security implement certificate pinning
• Leverage app layer encryption to protect user data
<CodeRed> Talks<CodeRed> Talks
8. Insecure Authentication
Inability to Securely identify a user and maintain that user’s identity
Real World Example:
Best Practices
• Use token based Authentication
<CodeRed> Talks
9. Insufficient Cryptography
• Process behind encryption and decryption may allow a hacker to decrypt sensitive data.
• Algorithm behind encryption and decryption may be weak in nature.
Vulnerable?
• Poor key management processes
• Use of custom encryption protocols
• Use of insecure algorithms
Best Practices
• Implement secure data storage
• Avoid custom encryption methods and use proven encryption algorithm and methods
• Avoid storage of sensitive information on mobile
• NIST guidelines on recommended algorithms
<CodeRed> Talks
10. Insecure Authorization
Failure of a server to properly enforce identity and permissions as stated by the mobile app
Best Practices
• Verify the roles and permissions of the authenticated user using only information contained in
backend systems. Avoid relying on any roles or permission information that comes from the
mobile device itself
<CodeRed> Talks
11. Client code Quality
Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes
Real World Example:
Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads.
In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app.
What to do ?
• Avoid third party libraries with high risk flaws
•Maintain consistent coding patterns
•Write well documented and easily readable code
•Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools;
<CodeRed> Talks
12. Code Tampering
When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious
version to third party app marketplaces.
Popular Example:
What to Do?
• implement anti tampering techniques such as checksums, digital signatures and other validation
mechanisms to help detect file tampering
<CodeRed> Talks
13. Reverse Engineering
Analysis of a final binary to determine its source code, libraries, algorithms and more.
Real World Example:
Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content.
What to Do?
• Increase code complexity and use obfuscation
<CodeRed> Talks
14. Extraneous Functionality
• Developers frequently include hidden backdoors or security controls they do not plan on releasing
into production
• This error creates risk when a feature is released to the wild that was never intended to be shared
Real World example:
What to do?
• Carefully manage debug logs
• Clean coding practices
<CodeRed> Talks