1. The document provides 5 tips for securing enterprise mobile apps: strengthen password management, add in-app verifications, employ encryption at all levels, rethink data management, and leverage mobile gateways. 2. It discusses how 92% of top mobile apps have been hacked and outlines common attack types like disabled security, unlocked features, and malware infections. 3. Enterprise app developers are advised to implement additional security layers like encryption at the app, server, and device levels to protect proprietary data and secure transactions beyond what network security provides.

1. 1 / 9
5
Tips
for Securing
Enterprise
Mobile
Apps

2. Today mobile apps of all kinds are routinely subject
to malicious activity. In fact, 92% of the top 100
mobile apps have been hacked and hacking is
pervasive across all categories of mobile apps. The
attack types are quite diverse — disabled or
circumvented security, unlocked or modified
features, source code/IP theft ,and illegal malware-
infestations. With such high levels of illegal activity,
enterprise app developers must consider protecting
proprietary data and securing high-value transactions
to be a key requirement of any mobile project.
While many rely on their network security
management group to handle these challenges,
apps developers still need to harden solutions by
implementing additional layers of protection — at
the app, server, and device level.
To help mitigate risk in your next mobile app
development project, consider the following tips to
improve your outcomes.
2 / 9

3. Strengthen Password Management
Strong password management and user authentication solutions are critical to securing
mobile apps against hacking.
Consider the recent incident at Starbucks. Millions of customers utilize their mobile app to
shortcut the payment process. Recently criminals found a way to break into those accounts
to illegally purchase gift cards. Although the app itself wasn’t hacked, the company said
these account takeovers are likely due to weak customer passwords. Starbucks suggested
that customers combat this issue by using more unique, strong passwords when managing
their accounts. However, the real truth — which the company finally confirmed — was that
its app was storing usernames, email addresses, and passwords in clear text. This meant
that anyone could see passwords and usernames just by connecting the phone to a PC.
Authentication techniques matter. Wherever possible, ensure that critical information
(passwords, usernames, account numbers, payment details) do not reside directly on the
user’s device. In cases where the information must be stored locally — take extra
precautions to secure it. For iOS users, store passwords within an encrypted data section in
the iOS keychain. For Android apps, passwords should reside within encrypted storage in
the internal app data directory — and then mark the app to disallow backup.
In-App Verifications
As part of the design process, consider requesting user authentication before confirming
high-value transactions. While this will add another step in the design, it would have
prevented a breach similar to the Starbuck’s issue. Because consumers do not have to
verify their purchases, those cyber criminals could continue to buy gift cards illegally until
the customer realized what happened via another channel.
3 / 9

4. Employ Encryption at All Levels
With proper encryption techniques, companies can prevent sensitive enterprise data from being compromised should a mobile device be lost or
stolen or when sensitive information is transmitted via insecure networks. Both on-device and in-app data encryption is needed to ensure security in
enterprise apps.
On-Device Encryption
On the device side, encryption techniques vary by OS. Apple devices use the 256-bit Advanced Encryption Standard to automatically encrypt a baseline set
of on-device data. When users turn on Passcode Lock, email and application files are also protected. However, media (pictures and video files) must be
secured separately using a third-party solution. When Android users enable its encryption features, all on-device data is protected. For Windows devices,
app developers must utilize a third-party solution to protect employees/customers using those devices.
Forcing users to enable device-level security features is a critical aspect of mobile app design.
In-App Data Encryption
Enterprise app developers must also protect data transmitted to and from mobile devices. Most developers extend the company’s standard encryption
methods — be it public, symmetrical, or asymmetrical — in their own development efforts. When implementing a security framework, it is important to
encrypt both data at rest and data in motion.
With so many different devices in use and so many data storage and communications techniques, the challenge lies in defining an encryption strategy that
will work across all users. Many companies are using mobile device management (MDM) software to more efficiently handle the distribution of
applications and security settings for all devices under management. While a MDM platform will add another layer of security, enterprise app developers
should not neglect other app hardening techniques in the process. Hackers continuously target these types of security devices — just as they target
firewalls and intrusion detection systems — as part of a concerted effort to steal customer data across enterprise types. If MDM is the only security
solution in place, enterprise apps will remain vulnerable to attack.
4 / 9

5. Rethink Data Management
The way in which data is used, gathered, stored, and transmitted directly impacts an
app’s security rating. When designing mobile apps, carefully analyze which pieces of
data are critical to functionality and which can be considered extraneous. Do not
collect or store any information that is not required. Making smart choices
throughout the design process is critical to mitigating risk and maintaining
compliance with data protection laws.
Leverage Mobile Gateways
Often, enterprise apps expose backend systems — CRM, HR, financial — to new
environments for the first time. By using a secure mobile gateway to control and
mitigate all traffic between app users and corporate systems, developers can apply
policies for governing access requests in real-time. Naturally, these policies can be
configured with user ID and device data. However, companies can write extremely
complex access policies based on geographic, network, device, content, and even
time/date information. In this way, app developers can block, filter, or mask access
to implement sophisticated corporate and regulatory compliance rules.
5 / 9

6. Improve Security Testing
Before any mobile development project is considered complete, it is important to run a penetration test to determine if there are any vulnerabilities in the
app — be they repackaging, IP and data theft, cryptographic key exposure, tampering, or system compromise. While the test plan will be unique for each
project, the following areas should be considered in its design:
 Data in transit: Monitor the flow of data from end to end. Test for access vulnerabilities and validate how that data is protected as it moves
between different systems.
 Data in storage: Verify the security of data stores and determine if the level of encryption is strong enough to protect proprietary data.
 Authentication: Test when, where and how users are being authenticated. Track how passwords and IDs are stored.
 Server-side connections: Many developers believe back-end systems are secured by corporate network administrators. Neglecting client-side
connections within the penetration test can leave your app — and backend systems — vulnerable to hacking.
 Entry points: Determine if there are alternative paths into the app — particularly those that are unauthorized.
Augment a generic test plan with any applicable regulatory and industry-specific compliance requirements. All issues detected must be corrected prior to
release — the risks to publishing enterprise apps with vulnerabilities is just too great.
6 / 9
“Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is
often done casually by developers who are mostly concerned with the functionality of applications, not their security.”
- Dionisio Zumerle, principal research analyst, Gartner

7. Any company looking to leverage an innovative mobile strategy needs a strong security strategy to support it. However, enterprise app
developers cannot rely on their IT administrators to provide the full level of protection a mobile app requires. Instead, they must embed
security measures in the authentication, application, and service delivery layers — and every step between. After all, those companies
that cannot adequately protect private customer data and high value transactions will soon find themselves on the wrong end of a very
public lawsuit.
7 / 9

8. 8 / 9
About the Nexacro Platform
Nexacro is a mobile and web application development platform with a single codebase
and comprehensive IDE. Nexaweb dramatically increases developer productivity by
supporting multiple platforms from a common source code and by providing WYSIWYG
screen design capability and drag-and-drop automation of most common tasks.
With the ability to create HTML5, hybrid, and native applications, Nexacro provides
flexibility to your development efforts so that you can take advantage of the portability
of HTML5 or the deeper hardware integration and higher performance afforded by
hybrid and native approaches.
Nexacro empowers your development team by allowing you to build mobile and web
applications for multiple platforms from a single codebase. Our approach minimizes the
effort required to support the full range of devices in your user population and enables
easy integration with your existing enterprise applications and data repositories so that
you can focus on what is important — delivering for your users.
Single Codebase
Nexaweb allows you to build
mobile applications for
multiple platforms from a
single codebase.
Our approach minimizes the
requirements needed to
support the full range of
devices and enables easy
integration with your existing
enterprise applications so
that you can focus on what’s
most important — delivering
for your users.
Multi-Layout Manager
MLM provides a WYSIWYG
tool that allows screens of
different dimensions and
resolutions to be created
rapidly by reusing screen
elements.
Screen elements can be
resized, rearranged or
hidden based on the desired
appearance and function-
ality for a particular screen
size.
Data Binding
Nexaweb provides a variety
of tools and techniques for
connecting data in existing
enterprise data stores to
mobile applications.
Data binding provides a simple
way to associate form fields
and controls with data,
accelerating development
by simplifying data retrieval
and updates.

9. About Nexaweb
Nexaweb provides software and
services for the development of
enterprise-class mobile, tablet, and
web applications. Nexaweb was
founded in 2000, offering tools and
enterprise to develop web and, later,
mobile applications for the enterprise.
Today, Nexaweb has more than 2,500
customers around the world across a
range of industries.
Nexaweb Inc.
1 New England Executive
Office Park, Suite 205
Burlington, MA 01803
Tel: 781-345-5500
Fax:781-345-5501
www.nexaweb.com
9 / 9