Mobile Application Security Checklist

Mobile devices, as a phenomenon, have become a huge achievement of the technical progress. At the beginning, we had a device for emergency calls, but who remembers it now? Calls, messages, a music player, a library, a shop, and so on and so forth… All of it is hidden in one instrument – a mobile phone. We go further and use the devices in our routine. With their smartphones, people can optimize plenty of working processes and keep all information up to date.

But every medal has two sides. A number of smartphones in the world grows every year making this mobile environment fragile and insecure. Fixing this situation is the main task of mobile app security testing. Any application keeps users’ data inside and helps to solve everyday problems. Would the app’s custom feel safe and rely on this product? The answer “yes” is fully developers’ responsibility.

Mobile Security Here and Now

Why is it important for startups to take care of mobile app security? Let’s leave idle talks and get straight to the point. There is some eye-opening statistic which will be useful to any business (pursuant to Mobile Security Report 2016):

  • almost 25% of mobile applications include at least one security shortcoming with a high risk
  • every day one average device connects to 160 IP addresses
  • apps for business are three times more likely to reveal users’ credentials than an average app
  • 35% of data sent by mobile phones is unencrypted.

In the report, there were examined 400 000 different mobile apps for Android, and following high-risk security issues were recorded:

High-risk security issues

Among these issues, those connected with sensitive data leaks are:

  • email leak
  • username leak
  • password leak
  • GPS leak means that the app leaks data about the user’s location and potentially allows tracking him
  • MAC (media access control) address leak. This is a unique identifier designated for network interfaces for communication purposes.

Network issues:

  • Improper TLC (Transport Layer Security) validation can result in deterioration of the connection’s privacy. Subsequently, sensitive data may leak (i.e., credit card information)
  • unvalidated .zip files might lead to the modifying of app or code parameters.

File system issues:

  • World-readable files. A file where world-readable permissions enabled allow anyone to read contents of that file.
  • World-writable files. A file where world-writable permissions enabled allow anyone to overwrite contents of that file. In its turn, in can lead to an arbitrary code execution.

All this information means that not only malware may be the subject of our concern. From now on, our main interest is leaky apps that deal with sensitive personal or corporate data. Providing security for mobile applications requires checking some basic points. A checklist of this kind is a very changeable matter, but it should always be a part of the security system.

Checklist to Securing Your Mobile Apps

Penetration testing for mobile apps includes these 7 tips. Following them will help you to build a reliable safety system either on Android or iOS devices.

1. Provide strong authentication

Strong authentication means providing multi-factor process. This will help to prevent password guessing attacks and an unauthorized access.

“Account fraud and identity theft are frequently the result of single-factor authentication exploitation”
FFIEC “Authentication in an Internet Banking Environment”

Three factors for authentication:

  • something a user knows – a password or PIN-code
  • something a user has – a mobile device itself
  • something a user is – a fingerprint.

That’s what can be a great combination to reduce the risk of unauthorized access: password authentication plus a client certificate, the ID of a device, or a one-time password. Other implementations which organizations can use: time-of-day or location-based restrictions.

2. Take care of the authorization process

Authentication means you’ve entered an app, but it doesn’t’ mean you can do whatever you want with it. Authorization will put the things right with tokens, two-factor authorization, and one-time use codes.

Work with tokens is handled with OAuth2. This is a protocol that manages the exchange of tokens; it makes secure connections possible. To achieve good results, OAuth deals with 4 basic elements:

  1. Clients (those who use an app)
  2. The authorization server
  3. The API (and the data it shares)
  4. The API owner who authorizes and delegates users

OAuth serves as a framework granting a user’s permission with tokens. Tokens are generated for one-time use by collecting a credential (like questions sent via SMS).

3. Encrypt communications through mobile phones

The next step is to make sure that communications between a mobile app and app servers are encrypted. After a password system, you should work on public key cryptography. This system uses pairs of keys: public (used widely) and private (known by one owner).

Secure mobile system

In this field, one of the main decisions is a key size. 1024-bit keys have been cracked often, so the next number was 2048. Lots of developers skipped it and moved straight to 4096-bit keys. Nowadays, one would choose 4096, but there are cases for using 2048-bit keys:

  • Some hardware just doesn’t support more than 2048 bits (many smart cards or some card readers).
  • Using less CPU (central processing unit), which means less draining for the battery (it’s important for mobile devices).
  • Using less storage space – it’s mostly important for small devices like smart cards.

4. Avoid external attacks with input validation

Input validation is a process of ensuring that input data meets the application’s expectations. If this process goes incorrectly, it can lead to all sorts of problems and vulnerabilities. The most popular among them are:

  • Injection attacks
  • DOS (Disk Operating System) attacks
  • Buffer overflows
  • Information disclosure
  • Memory leakage, etc.

You can start verifying the input with a Whitelists or Blacklists method. A Blacklist is testing an expected input against negative inputs. A Whitelists, on contrary, is testing against correct inputs. This option is preferable because a developer knows exactly what is desired for the app.

5. Keep an eye on the user’s activity

If app users deal with confidential information (healthcare, payment cards, customer data, etc.), then developers should monitor users’ activities.

“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.”
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data

Specifically, in business apps, log messages show when users access an app, also they track users’ location and ID numbers of mobile devices. Errors, including failed login attempts, should be recorded too.

As for highly-sensitive applications, IT obtains the whole picture. By this, we mean recording users’ sessions to see in details who did and what. To get an even more complete picture, developers turn to mobile screen recording.

6. Avoid data leaks (by all means)

Firstly, to avoid leaks of data, developers should separate personal apps from business apps. Creating private mobile workspaces prevents malware from accessing corporate data and stops users from manipulating a sensitive data (copying, saving, and distributing).

There are several root causes for data loss. They can be divided into three groups: connected with people, process, and technology.

Causes for data loss

When we deal with a confidential data, there are 4 basic ways to prevent leaks:

  1. Monitor access to the clipboard to avert “copy” and “paste” functions.
  2. Prevent users from downloading a certain data to their phones, sharing sites, or connected devices.
  3. Watermark confidential files with usernames or timestamps.
  4. Block screen captures.

Learn more about data leaks from TecSynt’s experience: How Bugs in the API Can Tell You Users’ Credentials.

7. Prevent device theft (as a bonus)

This item of the security testing checklist is especially important for business applications to protect their sensitive data. If everything has gone wrong, an extra measure to secure information is to wipe it. You can exploit this feature to your advantage. And with tip 3 you have strong guarantees – if the data is encrypted, the whole procedure can be performed instantaneously.

With regard to employee-owned devices, developers can lock or wipe corporate information while personal data is intact. At the same time, when the mobile phone is found or replaced, developers should be able to restore all necessary information.

Conclusion in the End of the Checklist

We’ve considered the most important tips and tools helping to complete the application security testing checklist. Constant control of mobile security gives several advantages to the future of your app:

  • Now you see the whole picture of dangers surrounding your application and can work in the direction of remediation.
  • You can find and instantly get rid of security vulnerabilities that threat your users’ personal (sensitive) data. This issue is a number one problem for all developers.
  • You know how to manage security on any mobile device – whether this is an Android, Windows smartphone, or an iPhone.
  • You can manage sensitive data even on distance – when a device is lost or stolen, timely measures would prevent data leaks.

Relationships between a developer and an end user are built on trust, and you should be ready to pay a high price if you neglect this fact. As a number of mobile functions grows, people confide more and more of their secrets to their devices. It makes security checklists broader each year, and security testing becomes more and more rigorous. If you’re asking, when it’s better to work on the app’s safety, the right answer is “now”. To learn more about prototyping in general, read 5 best ways to Prototype Your Mobile Project.

Tecsynt mobile development company

Read Next

4 Reasons Why Do You Need to Build an MVP
4 Reasons Why Do You Need to Build an MVP
HIPAA Compliant App Development. What Do You Need to Know About It?
HIPAA Compliant App Development. What Do You Need to Know About It?
How Bugs in the API Can Tell You Users’ Credentials
How Bugs in the API Can Tell You Users’ Credentials
Don’t leave us hanging!
Get in Touch