In our previous blog post, Securing Financial & Enterprise Mobile Applications – Part1 , we identified a number of the security threats affecting mobile applications. In this article, we will discuss a few best practices to tackle these security issues.
According to Jeffrey Voas, the IEEE Fellow and computer scientist at National Institute of Standards and Technology (NIST), there is harmful malware in more than 2,000 free apps currently available, and Voas says that almost 1 in 100 free apps in 2012 will visibly contain malware — and there are possibilities for even more malware which will be beyond immediate detection.
As mentioned in my previous post, security of enterprise & financial applications are of high priority. Any application which is ready to be used by a customer or by employees should be checked for security flaws before it is rolled out. It is ideal that the application should be subjected to multiple layers of validations, and not just a single step security check. We have to ensure that it covers:
• On-device data security
• Encryption of transit data
• SSL data transmission
• Device management
Securing applications should not be at the cost of user experience. Both are equally important, and should go hand in hand. I have seen applications which are highly secure – no lose ends at all, but unfortunately it hardly has any users, simply because it is slow and takes a long time to complete simple tasks.
Security issues can be tackled by ensuring and following certain guidelines while developing the app -on the application side, network side, browser side, Phone OS side, Web server side and during the distribution of the application.
Here listed is a comprehensive list of measures that will make the application more secure:
1. Ensure that the registration and activation process is strong
2. User authentication handling – passcode strength, account lockout should be fool proof
3. Ensure that 2-factor authentication, device factor is enabled
4. Ensure session persistence and timeout is enabled for apps
5. Ensure that insecure storing of user name, password, application data on device, storing of any 2-factor authentication data, user data in a backup is avoided
6. Avoid storing sensitive data in history artefacts
7. Enable function to permanently delete user data
8. Avoid insecure storing of data on removable media such as SD
9. Avoid data loss in log files or application debugging information
10. Avoid insecurely transmitting login data
11. Avoid vulnerability to man-in-the-middle (MITM) SSL attacks
12. Avoid insecurely transmitting sensitive user data over Wi-Fi
13. Session hijacking risk should be avoided completely
14. Any transaction being interrupted due to inbound calls, SMS etc should be handled securely
15. Ensure that SSL is correctly implemented and enforced
16. If custom encryption is leveraged, ensure it is sufficient for data protection
17. Ensure that the application will be able to prevent web framing, hijacking and related attacks
18. Platform security risks, including keychain on iPhone (option to store passwords)
19. Keep the backend APIs (Services) and the platform (server) secure
20. Perform data integration with third party services/ applications securely
21. Ensure secure distribution/ provisioning of mobile applications
Security issues do not end by adhering to all the checkpoints and ensuring that the app is secure. Once the app is rolled out the next thing that needs to be taken care of is device management. Organisations have to use an appropriate device management solution to monitor the usage of mobile devices and keep the devices safe in case of loss of device. Companies can either develop custom device management systems or implement a third party product. Few MDM’s products currently available in the market are Zenprise, Wavelink, Air-watch and formation.
To address and overcome the critical issues mentioned in the previous post it is highly recommended that once the mobile app is developed, the company works with a mobile security expert to identify and close such gaps.