It doesn’t take too many breaches like Equifax before most of us start viewing our devices with some concern.  How safe are they?  We love the convenience, but the reality is that your device and the apps running on it are a big target for hackers.  OWASP made a list of top security risks, some of which are noted here[1].

Some top issues are insecure authentication which goes along with insecure data storage.  Communication issues include handshake issues, incorrect SSL versions, clear text communication of sensitive data and lack of cryptography when needed.  A big one is app code quality, which is another word for technical debt. But even with good code, attackers can modify the code if they can get into your phone.  Some developers have inserted code during development that was never intended to see production; too often, it remains after the app is made available on the stores.

If you want to stay in business, you have to ensure that every app you release is secure.  Customers expect it, yet too many businesses have failed to allocate resources to ensure that the proper steps are taken.  Here are some ideas of what you can do to secure your mobile apps from an article by UpWork.[2]

  1. Start with a plan to make security a priority.
    1. Encrypt app code using good algorithms and API encryption
    2. Test code not just for functionality, but also for areas that are vulnerable to hackers
    3. Make sure the code is safe, but also easy to patch.
    4. Don’t over-engineer to the point where response time and other factors are impacted.
  2. Don’t forget your network. Networks need to be sure that data in transit is protected.
    1. Have your network expert assess the network
    2. Use database encryption, SSL or LS
    3. Look at containers as a way to store your data
  3. Authenticate and authorize users through your app
    1. Consider two-factor authorization, such as OAuth2 and JSON tokens. OpenID Connect is designed for mobile and allows credential reuse across domains.
  4. As data is often stored on the device, make sure the data is secured.
    1. Encrypt files to protect data at rest
    2. Encrypt mobile databases
    3. Don’t store sensitive information on the device itself unless you have secured it.
    4. Key management has to be robust.
  5. Secure APIs, both your own and those of third parties you work with. This includes considering identification, authentication and authorization.
  6. Test, test, test.  Use penetration testing and simulation testing to look at all aspects.

But it’s also important to share with app customers how critical their role in this can be.  If their device isn’t secure, it doesn’t matter what you do on our end.  Remind them to be careful when they download to be sure the site is trusted.  Developers have a big job in securing these apps, but we need to let our customers know how critical their role is as well.

[1] https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

[2] https://www.upwork.com/hiring/mobile/mobile-application-security/