Sage Advice - Cybersecurity Blog

Mobile Application Security: Features to Include in Your Mobile App

develop-a-secure-app.pngThe use of mobile devices continues to grow.  According to comScore’s 2016 U.S. Cross-Platform Future in Focus, in the United States, mobile represents 65% of all digital media time, and mobile applications (apps) dominate that usage.  It’s fairly common for businesses today to have a mobile app, where clients can access your products and services directly from their smartphones or other mobile devices quickly and easily.  If you’re considering developing an app, or updating an existing one, it’s important to keep in mind that the development process is not just about providing a positive user experience or incorporating a fancy design, security must be part of the conversation from the very beginning.

In the first half of 2016, there was a 96% increase in smartphone malware infections compared to the second half of 2015, according to Nokia’s Threat Intelligence Report – H1 2016.  Mobile malware is becoming more sophisticated, and instances of infection will only increase.  Here are some security features you should consider when developing a mobile app.

Require Data Validation / Integrity Checks

You want to ensure that all the data being handled by your app is being handled in a secure way, and that means you want to validate everything that is being passed through it.  For example, most secure applications will require a username to login.  You should control that input so that it will only accept valid usernames. 

Disable Debug Code

Debug code is often used during the development process to help developers test for errors and figure out what is causing them.  Once the app is in production, however, it should be disabled.  If left in, and a hacker gains access to the debug clause, they will be able to see how the application is handling input and users moving around the app.  This can translate into a roadmap for them to the best way to exploit the app.

Don’t Log Sensitive Data

Be sure to review what your application is logging and ensure that you’re not storing sensitive information, including usernames, passwords, or account numbers, that a hacker could access.  Don’t forget to include the keyboard cache, which provides auto-fill capability.  Some are set to log everything that is typed in, and hackers might be able to access that information as well.

Sanitize Background Image

Most mobile devices enable to you to scroll through images of recently opened apps, so you can easily navigate between them.  These images are actually screen captures of what you were looking at before you navigated to another app.  While it’s convenient if you want to go back to Safari and see what you were searching for, it’s not very secure.  For example, if you navigate away from your banking app and it takes a screen shot of your account information, a hacker could get this info. Sanitizing the background image means that you put a static image in the place of a live screenshot.  By putting a screen shot of your company’s logo instead of an actual screen capture - you’re adding a level of protection of your end user’s data.

Restrict Clipboard Access

Hackers will always go to the clipboard data to see what information they can glean to make their job easier, like usernames and passwords.  You can restrict the ability to store anything on the clipboard from your app.   

Build a Sandbox

Sandboxing your app allows you to restrict access to your app's data from other apps.  You put it in its own container, and it can only access data within its own container, unless given permission.  For example, if you’re on your phone and Google Maps asks if it can use your location, clicking yes will give that app permission to get outside of its sandbox.  You need to be careful about what information you’re allowing from your application because you don’t want to inadvertently allow access to sensitive information from your application through a flaw in another application because the sandbox is compromised.

Enable Jailbreak Detection

Jailbreaking is gaining administrative access to the phone, which is precisely what a hacker tries to do during an attack.  Design your app so that it checks to see if a phone is jailbroken before launching.  This is just another way to protect your users from leaking information from a jailbroken device. 

Test for Vulnerabilities

Before you release your app to production, you should have a Mobile Penetration Test.  Being able to simulate a real world attack against your app in a safe, controlled manner will help you validate existing security controls and identify weaknesses in need of improvement. 

When a hacker attempts to exploit a mobile application, their goal is to identify and exploit vulnerabilities in either the mobile application or any backend web services / infrastructure of the application in order to gain access to the system and /or sensitive data, so it’s important that the engagement includes both. 

If protecting the security of your clients’ data is important to your organization, you should consider mobile application security as an integral part of your development process.    


Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.

Go to Download 

Topics: Mobile Security

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More