Secure Mobile App Development Tips: 31 Flavors Summer EditionPosted by Amy Schurr
Summertime is almost here and for many, that means ice cream treats. Whether you’re a novice mobile app developer, a seasoned mobile application security analyst or somewhere in between, here’s a roundup of our 31 best tips and tricks to savor.
NowSecure experts share secure mobile app development best practices and mobile application security testing insight in our “All Things Mobile DevSecOps” newsletter delivered on the first and third Wednesday of the month. Subscribe now and catch up on any advice you’ve missed in this compilation of the best of our technical tips. Read on for insights to help you hone your skills in building and testing high-quality, secure mobile apps that provide a safe user experience.
Secure Mobile App Development
- Don’t write data to the SD card and system logs because this is unnecessary and can cause problems.
- Implement OWASP best practices for file management by restricting accepted file types and make your mobile app files read-only.
- Manage file permissions appropriately for different user groups of the app. Assign read, write and execute permissions accordingly and never set universal file permissions (WORLD_READABLE/WORLD_WRITABLE) because that could lead to a remote code execution vulnerability.
- Never, ever store a password in plain text on a device. If it must be stored, create a hash value using a unique device token stored on registration.
- Use a more secure version of deep links called App Links when developing Android mobile apps to ensure the app is the only one that can handle redirect URI or URL in general.
- Ensure that your app servers only accept updated versions of TLS (>=1.2) and strong ciphersuites.
- Fix the code if a mobile app doesn’t perform hostname verification or accept self-signed certificates for TLS sessions.
- Client-side protections to help prevent regressions and make the app stores safer. For example, App Transport Security in iOS can prevent common regressions such as use of HTTP and weak server-side ciphers.
- Implement proper API security based on the network structure of your mobile app. Bad API calls will likely lead to data leakage to unauthorized third parties.
- Take a closer look at how any data that is generated/entered into the app by the user is handled. Ensure that the app follows input validation best practices both on the client and the server side that prevent malformed, potentially malicious data from being injected and incorrectly handled by the app.
- Implement multi-factor authentication to prevent unauthorized registration or access to a mobile application.
- Ensure your app can detect changes in biometric authentication on the device to require users to log in again after enabling a new biometric measure such as a fingerprint or facial recognition.
- Use common libraries for cryptography rather than custom crypto code.
- Sign Android applications with a key of proper size — at least 2048 bits. Avoid signing apps with a key size length of 1024 bits or less because they’re vulnerable to forged digital signatures.
- Certificate Transparency is an open framework for logging, monitoring, and auditing the issuance of CA certificates. Consider using it as an additional defense for mobile apps that require a high degree of security.
- Implement certificate pinning for apps that handle sensitive data as a countermeasure against man-in-the-middle (MiTM) attacks.
- Code that helps debug issues in pre-production apps can cause data leaks in production apps if the debug code is left in.
- Reverse engineering mobile apps can provide valuable insight into how it works and expose corporate secrets. Making an app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.
- Be wary of any mobile app that requests permissions unrelated to the app functionality such as contacts, SMS and location data for a flashlight.
- Assess the security risk of a mobile app by using threat modeling, attack modeling, attack surface mapping, and/or other forms of risk modeling.
- To perform threat modeling, start with the OWASP Mobile Application Security Verification Standards to determine the level of testing necessary to manage risk according to app characteristics.
- Stay current on all DevSecOps toolchain features.
- Undergoing security training will ensure your development team is knowledgeable about the latest mobile app security requirements and coding best practices.
Mobile Application Security Testing
- Look for an application security testing tool that maps assessment findings directly to your security program’s requirements and industry standards such as CVSS, the OWASP MASVS and the Common Weakness Enumeration (CWE) framework.
- Understand that using open-source tools such as Drozer, Frida, Mitmproxy and Radare to test mobile apps can be difficult because you need significant experience to glue these tools together and use them effectively. We recommend choosing a commercial mobile appsec testing tool instead.
- Test apps on real mobile devices rather than emulators. Testing with an emulator misses a number of mobile attack vectors.
- Don’t make the mistake of assuming that third-party libraries are safe — update this code regularly and thoroughly test it for security and privacy vulnerabilities.
- Recognize that complex or highly secure mobile apps may require manual code review and penetration testing to pinpoint potential threats.
- Focus on automatically testing new code and builds on a daily basis to reduce Cycle Time Value (CTV) and eliminate manual errors.
- Know what to fix by evaluating the risk of any issues you find in your app. Using CVSS offers a great way to get started.
- Thoroughly define the process for when security bugs break the build and institute a feedback loop to improve CI/CD processes.
We hope these best practices satisfied your craving for knowledge. For more advice about secure mobile app dev, consult our wildly popular ebook “Secure Mobile Development Best Practices.” The NowSecure Services team is also available to help train your team, stand up a mobile appsec testing program or conduct mobile app penetration testing for you. Contact us anytime to discuss your organization’s mobile appsec testing needs.