Mobile App
5
May

Mobile App Security Considerations for Developers

On March 26, just a little over a month before taxpayers faced their annual filing deadline, the Canada Revenue Agency (CRA) posted various Twitter updates notifying users of an overall outage of their online services, including mobile apps [1].

According to local news reports, the downtime was related to hardware problems. Before this clarification, however, many users believed that the CRA had once again fallen victim to a data breach.

Past Problems

In 2014 and 2017, information security specialists at the CRA decided to take their systems offline as a precaution after data breaches were detected. This does not seem to have been the case in March 2019, but it briefly recalled the 2018 Air Canada breach of its popular mobile app.

During 2 days in August, the airline detected an unusual pattern of login attempts [2]. Air Canada did not specify whether the incident was a network intrusion [3] or a case of hackers using passwords obtained from Dark Web forums, but there was a concern that the perpetrators had access to sensitive data, such as NEXUS traveler profiles, which could then be used for sophisticated identity theft purposes, such as crafting fake passports.

No credit card data were compromised since it was kept in a secure container.

To a certain extent, the Air Canada breach was good news for the mobile app development team since there were no reports that deficient code, workflow, or implementation caused the breach. This was not the case with the One Planet York mobile app incident in November 2018, whereby residents of that English city were surprised to learn that their personal details were being leaked to other app users listed by means of a “leaderboard” feature, which rewarded diligent York residents for their recycling efforts [4].

The problem was tracked to a flaw in the application programming interface. Further, encrypted passwords were exposed, but it was not clear if they were properly hashed.

Mobile DevSecOps?

Any penetration tester specialist [5] can tell you that the attack surface, meaning the sum of the attack vectors, presented by mobile apps is too large for hackers to ignore. Just like DevOps are transforming into DevSecOps, mobile app developers should be paying close attention to all aspects of security that clients have come to expect.

The challenge is presented by clients themselves. The intimate relationships we have forged with our smartphones mean that we are more willing to input our personal information into apps that request it, and this is exactly what enterprise clients are after. All the same, malicious hacking crews are also aware of the mobile app space insofar because of the massive data sets of personal data it handles.

With the above in mind, here are some important aspects of information security that mobile app developers should observe in today’s development environment, defined as follows:

Acknowledging the Attack Surface

Although attack surfaces are typically associated with network topology and endpoints, app developers can adapt the understanding of these surfaces to their work as follows:

*Visualization: This should be like a map that includes the mobile device, the networks it connects to, the dependencies it utilizes with regard to the operating system, and the paths it creates. All vectors should be noted, including data input fields, permissions, interfaces, and services.

*Finding Exposure Indicators: Anything that indicates a potential vulnerability should be included in the aforementioned map, and this may require the opinion of an information security specialist.

*Finding Evidence of a Compromise: One way of approaching this step is to look at attacks that have previously succeeded. Another way is to think about the worst-case scenario as it may relate to exposure indicators.

Thinking of Mobile Apps as Endpoints

In the network security world, endpoints are often pain points because they can easily be turned into attack vectors. An example of this would be a “plug-and-play” network printer that the manufacturer has shipped with a default username and password combination.

In the case of mobile apps, they effectively become endpoints once they are installed on a device. Developers must not assume that their apps will only be installed on smartphones such as the Boeing Black or the Blackphone 2, which are expensive devices typically purchased by corporate executives, intelligence agents, and other users who are extremely conscious about mobile security.

As a mobile app developer, you basically do not want to become a causal agent for security issues.

Code Security is a Priority

Unless you are working with a collaborative open source code base, you will want to encrypt and protect your code as much as possible. Code is what many hackers look at when they prepare their attacks, and code is also at the heart of the zero-day exploit community. You will want to work with the client on this security aspect because too much encryption and security may interfere with user experience and battery life, so there is a balance to be found.

Data Privacy: This is another aspect of mobile app development that should be discussed with clients. If you want maximum data privacy [6], you can propose coding a virtual private network into the app so that network connections are secure on the back end, but this amplifies the scope of the project. Encrypted containers would be another strategy, but this may consume more device resources.

And Finally … Extensive App Testing

Not all app development firms will be able to hire a security specialist, but they can certainly explore the possibility of training key staff members to become penetration testers. In many cases, non-coders make the best security specialists because they think differently and are less likely to develop tunnel vision. Security testing is easier with web apps because of the many security standards in place. This is not the case with native apps since they can have multiple “moving parts,” such as session management, authentication, authorization, and others.

Sources

[1] https://www.guelphtoday.com/around-ontario/canada-cra-online-services-are-back-up-and-running-1340780

[2] https://techcrunch.com/2018/08/29/air-canada-confirms-mobile-app-data-breach/

[3] https://blog.eccouncil.org/the-career-path-to-becoming-a-great-penetration-tester/

[4] https://portswigger.net/daily-swig/city-of-york-calls-in-the-cops-over-mobile-app-breach

[5] https://blog.eccouncil.org/6-ways-to-be-a-better-pen-tester-part-2/

[6] https://privacycanada.net/

About the Author:

Sam Bocetta

 

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense, and cryptography.

 

Editor's Note:
Reviewed by JoAnne Genevieve Green, Adjunct Professor – Cyber Crimes at the University of Pittsburgh and Israel Arroyo, Founder, President, and CEO at Stealth Entry Cyber Security Solutions.
get certified from ec-council
Write for Us