Nowadays, with the growing popularity of smartphones, almost everybody uses mobile applications, but hardly anyone thinks of their security while using them. At the same time, when developing a system everyone's focusing on the back-end security, but rarely on securing mobile apps. We just take security for granted, relying on the back-end, where there may be vulnerabilities as well.
An unprotected mobile application poses a real threat to the entire system. And it is on our devices that we store and work on critical data such as payments, banking information, access keys, medical, personal data, etc.
The issue of mobile app security is especially concerning in the Android ecosystem. Due to the fact that it’s an open system, it is more vulnerable to data breaches at the operational level than iOS, which is a closed system, plus all its updates happen immediately. Android is very fragmented, thus new versions of the system are deployed to customers’ devices very slowly, which directly stunts the improvement of the entire system’s security. Still, it does not mean your iOS system is completely secure - there are threats related to storing data or web server communication (like MITM attacks) which make your app vulnerable.
To understand the importance of the problem, let's see the examples below.
Data and device interception
An app security breach can be related to many issues, starting from storing users' data without encryption in the local database (which was the case of a popular communicator app in 2011) to session token change (experienced by a well-known marketplace application in 2016). The app switched sessions to a different user’s token, which most probably was collected from deeplinks. This, through a fake marketplace page, made way for potential acquisition of other users’ account data, such as user ID, contact details, phone numbers, date of birth, message logs, and other private information.
There are also many examples of taking control of the whole device through a system vulnerability. In 2017, there was a significant security loophole discovered in a Bluetooth driver, called BlueBorn, which allowed attackers to obtain complete control of a mobile phone by remotely executing code. In 2018, another issue was discovered. It turned out that, in order to control device modems, the Android firmware used AT commands which date back to the ‘80s (sic!). Manipulating these commands allowed hackers to take control over the whole device. Fortunately, we don't have to worry about BlueBorn issues anymore - it is already fixed with iOS 10 and greater and on most Android devices running 6.0 or greater.
Such vulnerabilities can be used for different reasons, for example to add fake certificates to read the data streaming out of your app or install malware to steal user data. The above-mentioned issues were rather quickly fixed on the operational level, but the question if they have reached all the users remains open. There isn’t much we can do about Android system loopholes, except waiting for an upgrade and ensuring app security by ourselves.
How to ensure protection in your mobile app?
There are many ways to sort out security issues. But ensuring mobile protection is not an easy process, especially when you have to identify a threat in a given app and define its security level yourself. Most common methods follow a standard security practice, others are adapted for mobile apps.
Standard security practices include:
- proper encryption of sensitive personal data, such as encryption of the local database, cache, or API communication
- correct cryptographic key management and user session authorisation (tokens)
- token validation - assigning one to each device separately and with different expiration times of sessions
- proper implementation of safe communication standards, e.g certificate pinning in the case of HTTPs
Mobile-specific security methods include:
- protection against malicious apps
- blocking screenshots and masking
- masking the app’s view in the app switcher - which means you can’t preview the app’s content when switching to a different app
- securing clipboards - so a copied password isn’t visible in other apps
- IPC protection (Inter-Process Communication) - a safety measure applied to system components to enable communication between apps or apps and the system, such as: Activities, Services, Content Providers, Broadcast Receivers
- UI security analysis, especially in terms of data leaks (e.g. password masking or validation of data)
- Android specific:
- Code Obfuscation - limits reverse engineering
- Proper handling of app signatures
- blocking access to overlapping active apps - protection against content scraping done through apps layered on top of the active app
- managing permissions in Android apps
- iOS specific
- Using App Transport Security (ATS) for all web connections
- Enable File Data Protection
The above methods cover just some of the risks, but you have to be aware of them in the first place; secondly, their implementation or verification may require particular expertise.
Security boosts the quality of the final product
Seeing that mobile security is very often neglected and having the experience required to address this problem, our team at Netguru came up with a solution. We created the Mobile Security Review best practices - a full-scale analysis of a mobile app’s security.
The security review is done in five steps:
- We review the project to better understand the code, structure, and purpose of the application.
- We make a list of the application’s elements responsible for introducing risk to the project.
- We prepare a list of the security features that should be implemented for all the risky elements and then we check if all the required security features are in place.
- After the analysis, if needed, a rescue plan is created - we prepare the list of security actions which should be implemented.
- Finally, we prepare a report defining the security level of your product and suggestions on how to ensure it in the future.
The Mobile Security Review is based on The Open Web Application Security Project (OWASP) Mobile Security Testing Guide (MSTG). It is based on the simple idea of adjusting MSTG to your needs, so you don’t need to prepare the whole OWASP checklist and can just focus on functionalities which pose a real threat to the system. It is designed to be easy to integrate with your Continuous Integration and Continuous Delivery process and, since it’s agile, it can change together with your product. Moreover, MSTG is managed by the community and is based on best practices and international standards. Finally, our Mobile Security Review is an open source solution.
Enhance your app safety with our Mobile Security Review Guide
We created open sourced guidelines for Mobile Security Reviews, which are available here.
Why did we create this process?
- We wanted to improve mobile security at Netguru
- We needed one source of truth that is shorter than 50 pages (so every mobile developer can read it in a short time)
- We aimed to share the knowledge with the community, so everybody knows what to pay attention to and what are the risks
What does our security document include?
- Risks analysis: risk of compromise and its impact
- Classification and prioritisation of vulnerabilities
- Planning on the basis of the prior prioritisation
- Report: how should it look, what should it contain?
What are the benefits of MSRG implementation:
- Independence - You can analyse your app on your own
- Better knowledge - You get security tips, especially useful for developers and tech enthusiasts
- Time save - You can use a single source of truth to get all the information
- Reliability - Based on OWASP
The benefits of using a Mobile Security Review seem clear-cut. The review increases the security and quality level of the product, but above all it makes you realise how secure your users’ data is.
“Developing a social care platform like Helpr, we've always been concerned for the security of the product. Given the profile of the application, we are constantly handling sensitive data, such as health condition, name, and address. So we couldn’t allow for any disclosure of client data. Thus, a couple of weeks ago we had Helpr’s security reviewed and this gave us vital information. Luckily, there was no reason to be alarmed and no need to apply emergency fixes. However, the improvements proposed in the report are something we'll surely have in mind when planning the scope for the new iterations. An unbiased analysis of a project is always a valuable insight for the project team.”
Filip Kozłowski, Project Manager at Netguru overseeing the development of Helpr
With Mobile Security Review everybody wins
A Mobile Security Review ensures correct project development, setup, and overall code quality. This is due to the fact that it covers a large number of sensitive areas such as risk analysis, data protection, reverse engineering protection, anti-tampering, encryption, communication, key management and many more, making it very valuable to product owners. An MSR helps to make your app less vulnerable to security breaches and better protected against financial and reputation loss, as well as potential legal problems.
Getting a Mobile Security Review done is a win-win situation for both the owners and the users. The owners win a reliable, high quality product, which gets better positioning in stores and better reviews. A better quality product enhances users’ personal data security and trust for the product. This in turn translates into bigger demand and business growth.
Thus, if you want to upgrade your project’s security level, contact us - together we will perform the review of your mobile product.