Mobile phones play an important role in our digital lives. Their critical function has only grown during the COVID-19 pandemic: 70% of people say they’ve preferred to use their smartphones/tablets versus computers. In addition, 67% of internet users used a shopping app on a mobile phone or tablet, with 52% buying a product, and the 35 billion mobile applications downloaded each month generate transactions worth $27 billion. (source).
This growth in mobile-device usage has brought security squarely into focus. Data security can have a lasting impact on the success of an app and a company’s reputation. Organizations building apps or mobile-friendly sites therefore have a dire need to protect, secure, and safely handle the data consumed/generated/transferred through their offerings.
Wipro has partnered with many enterprises to institute best practices in development and secure data handling. In every case, development must include a robust data security management strategy and ensure that every app allows access only to authorized users. Our experiences have taught us several other lessons that any mobile-app development team can deploy.
Lessons proven to prevent mobile-app attacks
Mobile application attacks can be broadly classified into three main categories: app-based, device-based, and network-based attacks.
App-based Attack Solutions
These attacks are triggered by an infected app or malware that’s been installed by the user or is part of a “snooping app” like social media or games. App-based attacks include issues with app-overlays, key-loggers and third-party keyboards, application tampering and reverse engineering, improper use of platform APIs, and insecure data storage.
App-overlay attack solutions should always check if an app-overlay is enabled. If one exists on the device, users should be notified and instructed them to disable it before using the app.
Loggers and third-party keyboard application solutions are designed to prevent the capture of device keystrokes. We helped a banking client protect users from credential theft by checking during the app’s launch for the presence of potentially dangerous third-party keyboards. If one exists on the Android version, the app attempts to switch to the approved device keyboard and notifies the user of the change. Another option is to build a secure keyboard as part of a mobile application. For iOS, building an override for the shouldAllowExtensionPointIdentifier method of UIApplicationDelegate class can prevent third-party keyboard extensions and force the app to use the native system keyboard.
Application tampering and reverse engineering solutions are not just needed to thwart hackers. Some internal information security teams may try to alter an app to comply with company policies. But these changes can negatively impact app users and put their data at risk. Performing one or more of the following steps can prevent app tampering from ever happening.
- Perform code obfuscation to prevent reverse engineering of the application. Use tools like ProGuard that come out of the box with Android.
- Perform file modification checks in the run time using hashing algorithms like SHA-256, to see if the APK or IPA has been modified since build time.
- Check for the application’s signing details. Compare what was it during build time and what was it during run time. Even better, get these details securely sent to the company remote server and determine the authenticity of that value.
- Don’t allow applications to run on emulators or virtual devices.
- Check if the application is attached to a debugger or hooked during runtime.
Improper use of platform API solutions are invaluable for protecting sensitive user data. Native platforms use APIs to securely store data using Keychain (iOS) and KeyStore (Android) services or authenticating users with biometrics. If developers do not use these services correctly, sensitive data can be compromised.
One client was unaware of a vulnerability until its Android app-review process rejected it for using an outdated version of Cordova. When using any third-party packages, it is critical to keep these packages updated.
Another recommended check to build into an app development process is to verify use of the right cryptographic APIs to ensure correct encryption. This will prevent using outdated or broken encryption algorithms.
Insecure data storage solutions make sure that the right data is stored in the right place with access restrictions. Anything involving users’ personal data or user authentication tokens should always be stored in the Keychain or KeyStore with correct unlock settings. We’ve learned several ways to prevent insecure data storage:
- Classify all the data being stored by the application according to sensitivity.
- Never store any data that is categorized as PII (Personally Identifiable Information) in mechanisms like preferences or user defaults as these are not secure.
- Use app sandboxing and never leak anything outside of the application.
- Use Keychain services on iOS and encrypt data using Android Keystore.
Device-based Attack Solutions
Device-based attacks usually render a mobile device unusable or launch a cloned operating system that can be malicious. These attacks are caused by tampering with the device or the operating system. Device-based attacks include rooting, jailbreaking, and app hooking.
Rooting solutions prevent unauthorized, privileged control over Android systems. Android’s SafetyNet API easily detects rooting issues, but there are many ways to determine whether a device has been rooted. At a minimum, implement basic level root checks.
Jailbreaking solutions prevent the exploitation of iOS vulnerabilities. These solutions should ensure that when an iOS device boots it only loads Apple-approved software. There are many ways to detect Jailbreaks like checking if a particular set of apps are installed on the device (Cydia). New Jailbreaks are introduced every month. Consider using a security tool like iXGuard to check for new jailbreaks.
App Hooking solutions can prevent code obfuscation. An app can be hooked by modifying the source code or injecting malicious code. Popular tools like Frida, Fishhook, and Cydia Substrate make it extremely easy to add debug information or hook any function, spy on cryptographic APIs, or trace private application code.
Network-based Attack Solutions
Network-based attacks happen when there’s inadequate security as an app attempts to fetch user or application data from remote servers. Man-in-the-middle, no SSL, or outdated TLS protocols are typical examples of network-based attacks. Found in other systems for years, these problems are now impacting mobile applications.
Man-in-the-Middle attack solutions prevent unauthorized user verifications that could allow a malicious party to capture transmitted data moving to and from the app. Implement strong SSL pinning and application authentication mechanisms to prevent data hijacking.
No SSL or using outdated TLS protocols solutions can prevent devastating data leaks. It is always a best practice to implement SSL based data transfer between the client and the server. For example, when running iOS 9 or Android P, insecure http pages no longer load. Developers and companies should move to more secure https-based communication. It is the gold standard.
Do not overlook protocols; they are a very important factor, too. Some servers still use outdated TLS (< TLS 1.2) protocols that are vulnerable to attacks. A simple query with https://www.ssllabs.com will point out common mistakes that network administrators might fail to see. Additionally, ensuring proper TLS configuration on the server side is extremely important.
Make mobile security a practice
Security is a cat-and-mouse game, so it is important to stay alert. Security should not be a separate activity at the end of the software lifecycle, but a common practice throughout app development. This includes ongoing security change monitoring.
Wipro has vast expertise in cyber security that we’ve incorporated into mobile-development and data-security best practices. These best practices and lessons learned, some of which are detailed above, can help any mobile app development team improve the protection and security of all user data.