Developing Secure Mobile App
Growth in smartphones and tablets has led to dramatic shift in the way general public and corporate users interact with business. Mobile apps are also susceptible to different threats as the applications are now used to access sensitive information and perform business critical activities. Traditionally, development teams have been focused on the performance and capability, and security teams only come when all development work was complete and the applications were in production. To develop and maintain secure mobile apps, various security considerations and measures, both technical and administrative, need to be implemented during different stages of mobile apps development.
Security should be embedded into the development life cycle of mobile app so as to address compliance requirement and minimise security risk. The methodology on software development is evolving with new development style such as agile software development or DevOps (compounding “development” and “operations”) for continuous integration and continuous delivery to build mobile app faster using an iterative development process. It focuses on continuous communication, integration, measurement and delivery to foster the processes between app development, testing and quality assurance.
Following common stages and key security considerations are discussed to help understand relevant security concerns in mobile app development:
Security should be considered during the requirement phase so that security is included throughout the development life cycle. Security requirements should be defined along with functional requirements and further incorporate security during other phases of software development. If the requirements are defined properly, identified risks could be addressed in early stages, which can greatly reduce extra work in later stages and remediation effort. The following areas should be considered for security requirements:
The design stage involves designing the application architecture in accordance with the specifications aligned in the requirement stage. As application architecture is established, development team should review the system design by identifying possible compliance issues as well as security risks with reference to defined security requirements. This includes designing appropriate security controls for a given type of data and incorporating threat modelling to identify and address the risks associated with the application.
A security review should also be conducted in the design stage. It serves as a checkpoint to ensure necessary security requirements are identified and incorporated in the system design.
Observing secure coding standards can help improving security and reducing the number of common mistakes that may result in security breaches. Performing security assessments during the development stage also helps to identify necessary security controls, and provides timely feedback to developers regarding the security of their codes. Static Application Security Testing (SAST) should also be performed to provide an early indicator of code quality in order to deliver consistent, high-quality mobile apps.
In addition to user acceptance test, system tests, stress tests, regression tests and unit tests are also useful in validating the performance and accuracy of system functionalities. Testing mobile apps could be more challenging than web apps due to the high variant of platforms and testing environment. A comprehensive testing plan should be established to design the testing approach and define the details on “what”, “when” and “how” to test.
A security risk assessment with security audit should be performed before the production launch and after any major changes. Each vulnerability fix may require updates to custom codes that could introduce new vulnerabilities. It is imperative to continuously assess the risk and impact to maintain secure mobile app.
Maintenance and Support Stage
New functionalities to the app or updates to existing functions may introduce changes in which security controls should be identified, documented, tested and reviewed to ensure that the system can be effectively protected from attacks or being compromised. Continuous testing is vital to maintain security assurance and protect the app where most attacks occur. The app should be regularly reviewed to ensure sufficient security is in place.
Consider decommissioning the app if it no longer meets the objectives, or when there are other apps that can better serve the purposes. Some suggestions on the decommission plan:
Security by design and data privacy should be embedded into the whole app system design and development processes to protect the data and individual’s right to privacy. Developers should ensure that security issues are incorporated as part of the basic architectural design. Detailed designs for possible security issues should be reviewed, and mitigations for possible threats should be determined and developed. Related laws, regulations and ordinances (e.g., Personal Data (Privacy) Ordinance) should also be followed when defining the privacy requirements. Developers should pay attention to the following best practices during system design in order to protect users’ privacy.
Most critical mobile app security flaws are listed below, users and development team should review and define the security requirements of their applications. Moreover, application developers should be aware of these common security flaws and avoid such problems in their codes.
Mobile apps are subject to similar security considerations and risks as other applications, thus general best practices for application development are also relevant to mobile apps development. Due to varying use cases, usage patterns and various mobile platforms, mobile apps developers should also take note of the remote web services, platform integration issues and insecurity of mobile devices. Developer should consider the following areas to build a secure mobile app:
General Considerations in Mobile App Development
Authentication and Session Management
Data Storage and Protection
Code Obfuscation / Reverse Engineering
Use of Third-Party / Open Source Libraries
Testing mobile apps on mobile devices can be more challenging than testing web applications on personal computer due to wide varieties of mobile OS, hardware components and network environment, etc. The following areas should be considered in mobile app testing cycle.
Testing Mobile App Functionality
To make sure the mobile app functions properly on supported device, functional testing should be conducted to verify the mobile app features specification. There are also different types of mobile app testing that need to be considered:
Testing Code Quality
Developers use a wide variety of programming languages and frameworks in mobile app development. Common vulnerabilities such as injection flaws, memory corruption, and cross-site scripting, may manifest in apps when failed to follow secure programming practices. For example, injection attacks against a mobile app are most likely to occur through inter-process communication (IPC) interfaces, where a malicious app attacks another app running on the device. Testing should be conducted to identify possible entry points for untrusted input or to identify known, dangerous library / application program interface (API) calls.
Cryptography in Mobile Apps
Cryptography is crucial in securing the user's data in a mobile environment, where attackers may have physical access to the user's device. Proper encryption or appropriate key storage APIs should be adopted for storing sensitive information. Not to use any cryptographic algorithms or protocols that contain known weaknesses. Adopt the best practices and security configurations to ensure the cryptographic algorithms are up to date and in-line with industry standards. Outdated ciphers such as DES, or hashing function such as SHA1 must not be used. Other configuration issues such as insufficient key length, hard-coded cryptographic keys and weak key generation functions should be checked.
Mobile App Authentication
Appropriate authentication methods should be integrated and performed by both front-end client and back-end server to protect against attacks such as password dictionary attack or brute force attack. In general, username/password authentication is considered for apps that are not sensitive; two-factor authentication is generally considered for protecting sensitive app (e.g., SMS and token). Testing should be conducted to ensure the authentication procedure is consistently enforced on both front-end client and back-end server.
The following steps should be tested on authentication and authorisation:
Testing Network Communication
Network communication between mobile device and server usually takes place over untrusted networks. It may put the mobile app at risk of network-based attacks such as packet sniffing or man-in-middle-attacks. Encrypted connection (e.g., HTTPS) should be used to ensure confidentiality and integrity of the network data while handling sensitive data. Intercept the tested app's incoming and outgoing network traffic and make sure that the traffic is encrypted, such as capture the network traffic with packet analyser and display the captured traffic in a human-readable format with network protocol analyser. After all, verify that the server is configured according to best practices.