Nowadays, with the growing popularity of smartphones, almost everybody uses mobile applications, but hardly anyone thinks of their security while using them. At the same time, when developing a system everyone's focusing on the back-end security, but rarely on securing mobile apps. We just take security for granted, relying on the back-end, where there may be vulnerabilities as well.
An unprotected mobile application poses a real threat to the entire system. And it is on our devices that we store and work on critical data such as payments, banking information, access keys, medical, personal data, etc.
The issue of mobile app security is especially concerning in the Android ecosystem. Due to the fact that it’s an open system, it is more vulnerable to data breaches at the operational level than iOS, which is a closed system, plus all its updates happen immediately. Android is very fragmented, thus new versions of the system are deployed to customers’ devices very slowly, which directly stunts the improvement of the entire system’s security. Still, it does not mean your iOS system is completely secure - there are threats related to storing data or web server communication (like MITM attacks) which make your app vulnerable.
To understand the importance of the problem, let's see the examples below.
An app security breach can be related to many issues, starting from storing users' data without encryption in the local database (which was the case of a popular communicator app in 2011) to session token change (experienced by a well-known marketplace application in 2016). The app switched sessions to a different user’s token, which most probably was collected from deeplinks. This, through a fake marketplace page, made way for potential acquisition of other users’ account data, such as user ID, contact details, phone numbers, date of birth, message logs, and other private information.
There are also many examples of taking control of the whole device through a system vulnerability. In 2017, there was a significant security loophole discovered in a Bluetooth driver, called BlueBorn, which allowed attackers to obtain complete control of a mobile phone by remotely executing code. In 2018, another issue was discovered. It turned out that, in order to control device modems, the Android firmware used AT commands which date back to the ‘80s (sic!). Manipulating these commands allowed hackers to take control over the whole device. Fortunately, we don't have to worry about BlueBorn issues anymore - it is already fixed with iOS 10 and greater and on most Android devices running 6.0 or greater.
Such vulnerabilities can be used for different reasons, for example to add fake certificates to read the data streaming out of your app or install malware to steal user data. The above-mentioned issues were rather quickly fixed on the operational level, but the question if they have reached all the users remains open. There isn’t much we can do about Android system loopholes, except waiting for an upgrade and ensuring app security by ourselves.
There are many ways to sort out security issues. But ensuring mobile protection is not an easy process, especially when you have to identify a threat in a given app and define its security level yourself. Most common methods follow a standard security practice, others are adapted for mobile apps.
The above methods cover just some of the risks, but you have to be aware of them in the first place; secondly, their implementation or verification may require particular expertise.
Seeing that mobile security is very often neglected and having the experience required to address this problem, our team at Netguru came up with a solution. We created the Mobile Security Review best practices - a full-scale analysis of a mobile app’s security.
The Mobile Security Review is based on The Open Web Application Security Project (OWASP) Mobile Security Testing Guide (MSTG). It is based on the simple idea of adjusting MSTG to your needs, so you don’t need to prepare the whole OWASP checklist and can just focus on functionalities which pose a real threat to the system. It is designed to be easy to integrate with your Continuous Integration and Continuous Delivery process and, since it’s agile, it can change together with your product. Moreover, MSTG is managed by the community and is based on best practices and international standards. Finally, our Mobile Security Review is an open source solution.
We created open sourced guidelines for Mobile Security Reviews, which are available here.
The benefits of using a Mobile Security Review seem clear-cut. The review increases the security and quality level of the product, but above all it makes you realise how secure your users’ data is.
“Developing a social care platform like Helpr, we've always been concerned for the security of the product. Given the profile of the application, we are constantly handling sensitive data, such as health condition, name, and address. So we couldn’t allow for any disclosure of client data. Thus, a couple of weeks ago we had Helpr’s security reviewed and this gave us vital information. Luckily, there was no reason to be alarmed and no need to apply emergency fixes. However, the improvements proposed in the report are something we'll surely have in mind when planning the scope for the new iterations. An unbiased analysis of a project is always a valuable insight for the project team.”
Filip Kozłowski, Project Manager at Netguru overseeing the development of Helpr
A Mobile Security Review ensures correct project development, setup, and overall code quality. This is due to the fact that it covers a large number of sensitive areas such as risk analysis, data protection, reverse engineering protection, anti-tampering, encryption, communication, key management and many more, making it very valuable to product owners. An MSR helps to make your app less vulnerable to security breaches and better protected against financial and reputation loss, as well as potential legal problems.
Getting a Mobile Security Review done is a win-win situation for both the owners and the users. The owners win a reliable, high quality product, which gets better positioning in stores and better reviews. A better quality product enhances users’ personal data security and trust for the product. This in turn translates into bigger demand and business growth.
Thus, if you want to upgrade your project’s security level, contact us - together we will perform the review of your mobile product.