Nowadays, with the growing popularity of smartphones, almost everybody uses mobile applications, but hardly anyone thinks of their own security while using them. At the same time, when developing a system it’s standard to put emphasis on securing the back-end, but very rarely do we focus on securing mobile apps. We just take security for granted, relying on the back-end, where there may be vulnerabilities as well.
An unprotected mobile application poses a real threat to the entire system. And it is on our devices that we store and work on critical data such as payments, banking information, access keys, medical, personal data, etc.
The issue of mobile app security is especially visible in the Android system. Due to the fact it’s an open system, it is more vulnerable to data breaches at the operational level than iOS, which is a closed system, plus all its updates happen immediately. Android is very fragmented, thus new versions of the system are deployed to customers’ devices very slowly, which directly stunts improvement of the entire system’s security. The extent of the problem is best shown in the examples below.
Data and device interception
An app security breach can be related to many issues, starting from storing users' data without encryption in the local database, which was the case of a popular communicator app in 2011, to session token change experienced by a well known marketplace application in 2016 . The app switched sessions to a different user’s token, which most probably was collected from deeplinks. This, through a fake marketplace page, made way for potential acquisition of other users’ account data, such as user ID, contact details, phone numbers, date of birth, message logs, and other private information.
There are also many instances of taking control of the whole device through a system. In 2017, there was a significant security loophole discovered in a Bluetooth driver, called BlueBorn, which allowed for interception of an entire mobile phone by remotely executing code. In 2018, another issue was discovered. It turned out that to control device modems, the Android firmware used AT commands which date back to the ‘80s (sic!). Manipulating these commands allowed hackers to take control over the whole device.
Such vulnerabilities can be used for different reasons, for example to install fake certificates to enable eavesdropping of the encoded data streaming out of your app or installing malware to steal user data. And even though the above mentioned issues were rather quickly fixed on the operational level, the question if they have reached all the users remains open. There isn’t much we can do about Android system loopholes, except waiting for an upgrade, but we can try to ensure app security instead.
How to ensure protection in your mobile app?
There are many ways to sort out security issues. But ensuring mobile protection is not an easy process, especially when you have to identify a threat in a given app and define its security level yourself. Most common methods follow a standard security practice, others are adapted for mobile apps.
Standard security practices include:
proper encryption of sensitive personal data, such as encryption of the local database, cache or API communication
correct cryptographic key management and user session authorisation (tokens)
token validation - assigning one to each device separately and with different expiration times of sessions
proper implementation of safe communication standards, e.g Certificate Pinning in the case of HTTPs
Mobile-specific security methods are:
protection against malicious apps
blocking screenshots and masking
masking the app’s look in the app switcher - which means you can’t preview the app’s content when switching to a different app
securing clipboards - copied password isn’t visible in all the apps
IPC protection (Inter-Process Communication) - a safety measure applied to system components enabling communication between apps or apps and the system, such as: Activities, Services, Content Providers, Broadcast Receivers
UI security analysis, especially in terms of data leaks; for instance: password masking or validation of data
blocking access to overlapping active apps - protection against content scraping - which is usually done unbeknownst to the user - through apps layered on the active app
managing permissions in Android apps
The above methods are exemplary, but you have to be aware of the existing risk in the first place; and secondly their implementation or verification may require particular expertise.
Security boosts the quality of the final product
Seeing that mobile security is very often neglected and having the knowledge and experience required to address this problem, our team at Netguru came up with a solution. We created the Mobile Security Review - a full-scale analysis of a mobile app’s security.
The review is done in five steps:
We review the project to better understand the code, structure, and purpose of the application.
We make a list of the application’s elements responsible for introducing risk to the project.
We prepare a list of the security features that should be implemented for all the risky elements and then we check if all required security features are in place.
After the analysis, if needed, a rescue plan is created - we prepare the list of security actions which should be implemented.
Finally, we prepare a report defining the security level of your product and suggestions how to ensure it in the future.
The Mobile Security Review is based on the OWASP Mobile Security Testing Guide. It is based on the simple idea of adjusting MSTG to your needs, so you don’t need to prepare the whole OWASP checklist and can just focus on functionalities which pose a real threat to the system. It is designed to be easy to integrate with your Continuous Integration and Delivery Process and, since it’s agile, it can change together with your product. Moreover, MSTG is managed by the community and is based on best practices and international standards, defined, among many, by NIST and IEEE. All these pros are directly implemented in the MSR process. Finally, Mobile Security Review, just like MSTG, is an open source solution.
That being said, the benefits of using Mobile Security Review seem clear-cut. The review increases the security and quality level of the product, but above all it makes you realise how secure your users’ data is.
“Developing a social care platform like Helpr, we've always been concerned for the security of the product. Given the profile of the application, we are constantly handling sensitive data, such as health condition, name, and address. So we couldn’t allow for any disclosure of client data. Thus, a couple of weeks ago we had Helpr’s security reviewed and this gave us vital information. Luckily, there was no reason to be alarmed and no need to apply emergency fixes. However, the improvements proposed in the report are something we'll surely have in mind when planning the scope for the new iterations. An unbiased analysis of the project is always a valuable insight for the project team.”
Filip Kozłowski, Project Manager at Netguru overseeing the development of Helpr
A Mobile Security Review ensures correct project development, setup, and overall code quality. This is due to the fact that it covers a large number of sensitive areas such as risk analysis, data protection, reverse engineering protection, anti-tampering, encryption, communication, key management and many more, making it very valuable to product owners. An MSR helps you and your app become less vulnerable to security breaches and better protected against financial and reputation loss, as well as potential legal problems.
Getting a Mobile Security Review done is a win-win situation for both the owners and the users. The owners win a reliable, high quality product, which gets better positioning in stores and better reviews. A better quality product enhances users’ personal data security and trust for the product. This in turn translates into bigger demand and revenue increase for the company.
Thus, if you want to upgrade your project’s security level, contact us - together we will perform the review of yourmobile product.