2. The Scenario
According to CIO Magazine, one-third of all iOS
enterprise applications are vulnerable to
attackers. The situation is even worse for Android.
Cybersecurity threats are now evolving even
faster along with emerging technologies like IoT;
increasing the Cyber Security skill gap further.
4. Some common security exploits:
➔ Malware applications on user’s device exploiting other mobile
applications
➔ Botnet attacks to extract user information and key strokes
➔ Vulnerabilities in servers, integrated browser, and third-party
libraries
➔ Weak authentication and authorization
➔ Hard-coded credentials and deployment in debugging mode
5. Last year, TeamViewer was a victim of such an
attack, and, thousands of users reported that
someone was trying to make a purchase with their
credit cards. Fortunately, TeamViewer was able to
recover their server within few hours.
6. That’s why…
We created this exhaustive list of common
security checklist, that you can use to reduce
the number of vulnerabilities present in your
application.
P.S. You can read more details about each checklist here:
https://www.simform.com/mobile-application-security-data-vulnerabilities/
7. Evaluate open source codes or third party libraries
for Vulnerabilities
Open source is changing our world, speeding up development and deployment.
Recently, due to a third party code involved, more than 1400 vulnerabilities
were introduced into ColdFusion’s Pyxis supply station.
We insist on keeping a security policy that any 3rd party or open source code
being added has to go through exhaustive security testing.
8. Authorization using OAuth 2.0
Most enterprises fail to understand the usefulness of OAuth, and either go all
in or don’t use it all.
We recommend the implementation of oauth 2.0, along with real time
monitoring for implicit grant.
To improve the security further, utilize OpenID connect along with oauth 2.0.
10. OAuth 2.0 + OpenID connect
OpenID token holds claims about the authenticated signed user. This lets
the server verify that the token was not tampered with, and was not issued
to some other user client.
Using Oauth 2 along with OpenID connect, v
11. “ Mosquitos aren’t the only pests
to prepare for in Rio de Janeiro.
Take precautions to protect your
data and mobile applications.”
12. Prevent client side injection for mobile app
security
Under client side injection, attackers push malicious code in form of
input, which then is consumed by the mobile application. This happens
on account of weaker input validation and lack of mobile security testing
policies.
To reduce the chances of a client side injection, as a basic guideline
one should look into:
Data stored on the device
User sessions
Mobile application interfaces
13. Optimize data caching for application
security
Mobile devices often store cached data to enhance the app
performance, which makes it more vulnerable because attackers could
easily breach and decrypt the cache data to steal user’s account
information.
If the nature of data that your app stores is extremely sensitive, having
a passcode to access the application reduces vulnerabilities associated
with cached data.
14. Disable debugging before the release
Many developers don’t turn off debugging when they deploy their
application in product environments. Keeping debugging on in
production environments allow attackers to gain access to critical
parts of your application.
Turning off debugging mode is extremely simple, in fact, this, in
reality, is just a deployment prep checklist, a developer can turn off
debugging mode by:
Debuggable = ‘false’ in case of Android
PT_DENY_ATTACH in case of iOS applications
15. Protect sensitive information that
application stores locally
While you may not be keeping patient records locally, but there’s a 90%
chance that you store some information locally that can help an attacker
gain access to almost anything.
Whether it is iOS or Android, your choice of local data storage
implementation should be based on strict and thorough security
considerations. In the case of Hybrid applications, things further complicate.
Keychain is one of the best ways to store data locally, but given no straight
forward implementation, in a quicker go-to-market environment, it usually is
ignored.
16. Enable remote data wipe
The capability to remotely wipe and lock sensitive data from a user’s
device gives an additional layer of security to enterprises. While there are
many existing tools that enable remotely wiping data, they have their own
pros and cons.
Consider the two cases:
Isolation of enterprise data from the user’s personal data in case of
BYOD scenario
Data breaches in case of a stolen or lost device
17. To enable remote data wipe, enterprises use the following
solutions depending on the device ownership models:
Factory data reset
Full device Wipe
Enterprise Device Wipe
18. Implement SSL/TLS
The network connection between the mobile application
and server, if not secured properly is prone to man-in-the-
middle-attack.
The validating authenticity of security certificates helps to
eliminate illegal access by attackers.
Always make sure that your application’s code
acknowledges valid security certifications, and blocks any
request with invalid self-signed-certificates.
20. Entitlements and permissions
Always limit the permissions required to
run the application. Restricting access to
unwanted devices features, ability to run
in background will prevent attackers to
access the app data.
21. Implement anti-tampering techniques
Tampering with your application has several benefits for the attackers:
Authentication bypass, geolocation falsification, stealing sensitive data and
many others.
It can then be leveraged to get access to offline documents, location
falsification, payment and medical related sensitive information.
Implementing run time security should be at the top of the priority list for
most enterprises building next generation mobility strategy especially for
those building consumer facing applications.
22. Disable App Backup
Almost all the devices back up all data
automatically, and if you’d allow the Operating
system to backup the application data. The
chances are that an attacker could see or
modify the application locally-stored data
without having root or physical access to the
device.
23. Restrict Devices to take App Screenshots
Android OS have a tendency to automatically take
screenshots of the applications to measure performance
and report bugs.
To stop the device to expose the sensitive data, you need
to set the “FLAG_SECURE” attribute or
“android:excludeFromRecents” flag.
24. Thank you!
Feel free to share your views in the comment
section. For more details and updates on the
enterprise mobility, security and scalability,
subscribe to our blog here.
https://simform.com
