Mobile apps have become the main focus of innovation for many companies, and skilled mobile developers are in high demand. The company is asking developers to innovate quickly using the latest smartphone features and capabilities to drive high download rates, wow their users, attract customers and grow their business. Development teams facing constant pressure to move faster can put security on the back burner, focusing on required features and business-demanded release dates. However, many development teams have figured out how to innovate faster with built-in security by ensuring developers understand key security requirements and coding best practices. Working with hundreds of development teams on securing thousands of mobile apps, we’ve found four common areas of security failure that can be fixed easily.
Use SSL over HTTPS
Mobile app developers may instinctively use Hypertext Transfer Protocol (HTTP) for network communications. However, HTTP exposes users’ private information in the open for threat actors to intercept. Developers can fix this common error by using HTTPS instead, which encrypts data sent to and from servers using industry-standard SSL. Android developers can use the available NetworkSecurityConfig file to configure a pre-determined configuration for all network connections established in the application or manually incorporate HTTPS. iOS developers can use App Transport Security (ATS) as a default feature which enforces secure communications in iOS apps and prevents insecure connection between mobile app and server.
Validate certificate content
Certificates add an extra layer of security to HTTPS connections by applying additional validations when establishing a connection. The certificates include the certificate authority (CA) that signed it and the list of host names known or accepted by the application. Applications that validate these components when establishing connections to the server greatly reduce the risk of a man-in-the-middle (MITM) attack that can steal credentials and sensitive data.
To verify that a certificate was issued by a valid CA, Android developers can view the preconfigured list of CAs included on devices running the mobile operating system. Android developers can implement native classes such as HostnameVerifier to achieve proper hostname verification in their application.
iOS developers can take advantage of ATS which provides built-in validation or use methods of the NSURLSession class to code them manually instead.
Avoid hardcoding mobile app resources
Attackers often use hard-coded information in a mobile app’s source code to take advantage of users. For example, attackers can use credentials stored in application files to access a user account. Attackers can also find API keys or hard-coded URLs to collect private data or take over an application entirely. Mobile app developers can prevent these areas from being compromised by not hard-coding keys, passwords, and URLs into the source code. Transport encryption and data decryption on the backend also add an extra layer of security.
Use the latest cryptography to protect mobile users
Outdated cryptography algorithms like SHA-2, RC4, and DES make it easy for attackers to crack a seemingly secure mobile app. Using older algorithms can also render a mobile app non-compliant with industry regulations, exposing an organization to fines or legal action. Developers can avoid this problem for Android and iOS mobile apps by using the latest cryptography algorithms available, selecting those that are suitable for a specific application scenario. When signing your binary before publishing it to the store, use keys with a length of at least 2048 bits (preferably 4096 bits), and on Android use SecureRandom or SecRandomCopyBytes on iOS when building random values for cryptographic implementations. Android developers can take advantage of the Keystore class and iOS developers can take advantage of Keychain services to store highly sensitive data. Developers should avoid insecure modes of operation, cryptographic keys, and improperly generated initialization vectors (IVs) to ensure that encrypted information cannot be decrypted by a malicious actor.
Today’s mobile app users need to know that mobile apps are designed with security in mind. When building innovative mobile apps, developers have a responsibility to learn a practical set of secure coding best practices to protect their users (and their businesses).