Mobile app developers constantly face pressure to catch up with or leap ahead of the competition. Innovative mobile features certainly improve the user experience, but the accelerated pace of mobile app development often shortchanges security.
DevSecOps teams can speed the delivery of high-quality mobile apps by performing continuous security testing throughout the software development lifecycle (SDLC) and relying on mobile DevSecOps tools that can help ease remediation. And of course, honing their craft by adopting secure coding techniques helps devs prevent security and privacy issues from creeping into their Android and iOS mobile apps in the first place.
As one of the leading mobile application security companies, NowSecure experts have conducted thousands of mobile application penetration tests that uncover common security and privacy vulnerabilities. What follows is a roundup of technical tips we’ve shared in our twice monthly All Things Mobile DevSecOps newsletter. Subscribe now and catch up on previous pointers in this compilation of secure mobile app development advice.
Local Data Exposure
- Anonymize data that your mobile app collects and, better yet, delete it as soon as possible.
- If your Android app uses a WebView to access sensitive data, you can use the clearCache() method to delete any locally-stored files.
- Developers and security experts should always assume that mobile code will be reverse engineered — it’s typically the starting point for an attacker. Avoid storing valuable and sensitive information locally on the device.
Network Defense-in-Depth & Communication
- Ensure apps use proper network security standards for communications, endpoints are well configured and you have a robust authentication scheme to prevent a broad range of network attacks.
- Leverage App Transport Security (ATS) for ioS and Network Security Configuration for Android for secure mobile app connections.
- Before mobile developers add networking functionality to their mobile app, consider networking security best practices: limit user data over the network, send traffic over secure communication and consider which certificates your mobile app should trust.
- The best way (and really the only way) to test mobile app certificate pinning is to execute an MiTM attack against it.
Authentication & Authorization
- Make sure your app follows the security principle of least privilege by ensuring your app only requests the minimal level of permissions needed for the app to work.
- Run authorization checks for roles and permissions of an authenticated user at the server-side rather than client-side.
- When overriding methods that perform certificate validation and/or hostname verification in Android (such as the checkServerTrusted method) always make sure to include proper validations in order to prevent MITM attacks.
- Misuse of cryptography has become a common source of vulnerabilities in mobile apps and necessitates security testing prior to release.
- If an iOS app must encrypt contents on disk, developers should protect users’ data by using the highest level of file protection: complete.
- In 2019, Apple introduced CryptoKit to make iOS developers’ lives easier in performing cryptographic operations — this high-level Swift API can save you time and give your app solid security.
- Ensure that your apps use the latest, most secure versions of SDKs. Stay abreast of security news to identify vulnerable versions of SDKs and remove them from your app or use alternatives.
- Remove unused or irrelevant pieces of code and debugging data to improve runtime performance and reduce the attack vector.
- Practice secure coding by avoiding using query strings in sensitive data.
- When a user transitions the application to the background, the system takes a “snapshot” of the applications main window. Developers should remove any sensitive data from views before moving to the background.
Reverse Engineering & App Resiliency
- Use code obfuscation on all production builds to mitigate the risk of reverse engineering.
- Use the AndroidSafetyNet API to check for Android device tampering and guard against reverse engineering.
- Avoid using hardcoded sources as much as possible. Hardcoding data in your application’s source code (credentials, cryptographic keys and similar, sensitive sources) represents an easy attack vector via reverse engineering.
- When pushing an app to production, make sure to clear all hard-coded data that’s been used for QA testing.
- Employ memory protection techniques such as buffer overflow protection or binary stirring to guard against threats.
- Having unprotected content providers in your app increases its attack surface, potentially allowing malicious apps to target your app via dangerous attacks such as SQL injection and path traversal.
- The best way to implement a strong and healthy app is by performing a basic security posture of your mobile app: a threat model. Seek to understand what your app may be vulnerable to out in the wild.
- Raise the bar in your app by making sure threat modeling guides your security controls.
- Consult the OWASP Mobile Application Security Verification Standards (MASVS) as a starting point for threat modeling.
- Base mobile app security requirements on standards such as the OWASP MASVS.
Mobile Application Security Testing
- Perform penetration testing to verify that a mobile app’s backend is secure.
- Perform a thorough penetration test before launching or releasing a major update of a sensitive mobile app to ensure quality.
- Those who use low-code development tools should be sure to test the mobile app binaries to pinpoint security risks such as misconfigured permissions or leaking data.
- Test a mobile app binary rather than uncompiled format or source code because the binary is what’s released to the wild and what an attacker might actually target.
- Ensure you deploy a mobile application security testing tool from a trusted vendor that pinpoints vulnerabilities yet minimizes false positives.
- When implementing WebViews in your Android application, utilize free security functionality such as EnableSafeBrowsing and cache clearing. These in addition to disabling debuggable WebViews will make your app/WebViews less prominent to attacks.
Upcoming Mobile OS Changes
Many Android developers know that as of November 2021, Android app updates must target API level 30 or above. Be prepared to make changes to keep your app current and adjust for app behavioral changes as well as Android 12 security and privacy enhancements. And iOS developers should mark their calendars for April 2022. As of that date, all ioS and iPadOS apps must be built with Xcode 13 and the iOS 15 SDK when submitting to the Apple App Store.
As mentioned above, stay up with the latest mobile DevSecOps trends with our newsletter — subscribe to receive it in your inbox on the first and third Wednesday of each month. Developers and security analysts alike can upskill and expand their knowledge of mobile appsec via NowSecure Academy free training. And finally, it’s our hope that following the above tips can help you build secure mobile apps faster.