Mobile Application Security Best Practices

Mobile application security best practices include encryption, code obfuscation, securing your APIs, and following secure coding practices.
Mobile Application Security Best Practices

The use of mobile phones is expanding worldwide, with approximately 6.65 billion currently in use. As smartphones become ubiquitous, an increasing number of the world’s e-commerce transactions are taking place on mobile devices, leading to the coining of the term “mcommerce” to describe the new method of shopping. eMarketer predicts that by 2024 nearly 70% of e-commerce transactions will be mobile. And where are those mobile sales happening? According to Nielsen, 89% of time spent on smartphones is spent interacting with apps, meaning retailers who want to meet their customers where they are, are investing in mobile app development.

Mobile applications face many of the same security challenges that web applications do, but there are also some unique considerations specific to the mobile environment. Once someone downloads your app, it is on their device, and you no longer have complete control. The user has access to the source code, which can be examined for vulnerabilities. If the device is jailbroken, your data may not be confined to the sandbox, allowing other apps and malicious users to access it. Updates are done at the leisure of the user, and there likely will not be anti-virus protections on the device like there would be on many users’ desktops. Additional security measures must be taken to reduce the ability of threat actors to take advantage of this expanded attack surface.

Encryption

Encryption is the process of converting data from plain text to ciphertext, which can’t be read without the decryption key. Encryption can either be symmetric, which means the same key is used for encrypting and decrypting, or asymmetric, which means a different key is used for decryption. The most commonly used standard for encryption, and the one employed by the U.S. government, is Advanced Encryption Standards (AES). Other standards of encryption do exist, such as RSA, named for its creators, Rivest, Shamir, and Adleman, but RSA is much slower than AES. RSA does, however, have the benefit of being asymmetric, which makes it beneficial when transmitting data between endpoints.

RSA may soon be effectively replaced by another asymmetric method of encryption, ECC. ECC is an encryption system that uses a 256-bit key to provide the same security that RSA has with a 3072-bit key. This allows ECC to use much less storage space, making it ideal for devices like smart phones. ECC may not be widely used just yet, but it is currently used by Bitcoin, so it may gain popularity as cryptocurrency develops.

Encryption should be applied to data at rest, as well as in transit, using an SSL or VPN tunnel. To protect data at rest, you should be sure that you are encrypting data at the file or database level. Operating systems provide sandboxes for each application where unstructured data may be stored. These sandboxes are designed to section off each application’s data from the rest of the applications on the device; however not all application data is stored here. It can also be stored in external storage, making it vulnerable to attack. An attacker may also be able to access the sandbox data if there are exploitable vulnerabilities in the app or if the phone has been jailbroken, so it is important that this data is encrypted.

Another important thing to consider with encryption is proper key management. It doesn’t matter that you’ve locked the door if you leave the key under the mat. You can use a key management system to ensure that keys are kept separate from the data they’re meant to protect. You’ll need to develop policies for things like the length of time a key is authorized to be in use, key size based on best practices for the type of data and type of key, and retirement of unneeded keys.

Code Obfuscation

Code obfuscation is the process of making source code difficult to decipher to prevent unauthorized use. Obfuscation alters the code without changing the end result, leaving it functionally equivalent to the original code. This differs from encryption in that there is no key for obfuscation. Obfuscation just makes it harder to read the data instead of changing the data itself.

There are a couple of different ways to do this:

  • Name Obfuscation: Changing the names of functions, classes, and variables. This is helpful, but by itself is usually not enough, as a hacker will still be able to figure out the patterns and understand which functions do what, even if they go by different names.
  • Control Flow Flattening: Taking the basic blocks of the source code and putting them into a loop, making the program flow much less obvious.
  • Arithmetic Obfuscation: Taking arithmetic calculations and replacing them with much harder-to-understand mathematical equivalents.
  • Code Virtualization: Translating the code into self-defined bytecode that can only be understood by a virtual machine.

Code obfuscation is helpful for preventing hackers from reverse engineering your source code, which can result in the loss of sensitive data or creation of a rogue app. Rogue apps are apps created by a threat actor to resemble the app of a known brand with the goal of tricking users into downloading the malicious app instead.

Secure Your APIs

According to RapidAPI’s 2021 State of APIs Developer Survey, 90.6% of developers planned to use the same amount or more APIs in 2022 than in 2021. While APIs provide enormous convenience, they’re also a huge security risk. APIs generally use an API key to verify that what is making the call to the API server is a legitimate instance of your mobile app. But what happens when an attacker has that API key? Without additional methods of identity verification and the ability to detect patterns indicative of abuse, such as calls by bots, it becomes increasingly difficult to differentiate real user API calls from malicious ones.

There are a number of things you can do to reinforce your API security. For one, you should ensure robust encryption between the API client and server to reduce the impact of man-in-the-middle attacks. You also need to be aware of where you’re storing your API keys. When API keys are stored in a mobile application, threat actors are able to use reverse engineering tools to access that information, hence the need for techniques such as code obfuscation. Because API keys are so discoverable, securing your APIs will depend on being able to effectively authenticate the entity making the request.

Strong Authentication Policies

Strong credentials are a must for both web and mobile application development. For mobile apps, you can choose to either have a native login flow, which means the user enters their credentials within the app, or a web-based login flow, where they are directed to a web browser to login. Native login flows provide a better user experience but are generally thought to be less secure. Hypermedia authentication APIs are a solution now popping up to bridge this gap and provide the best of both worlds. Hypermedia authentication APIs interact with the authorization server directly without the need for an intermediary like the browser window.

Regardless of how the user enters their credentials, your app should enforce some type of password policy to ensure a strong password is used, and it should not store the access and refresh tokens anywhere except secure storage (like the iOS keychain or Android Keystore). You can also take advantage of secondary forms of authentication, such as biometric methods like facial recognition.

You should also ensure that you’re using proper session handling. Mobile applications tend to have longer sessions than desktop apps. Long sessions can be beneficial for businesses who want to encourage ease of use for customers; however, they can pose significant security risks. Ensure that your tokens are long, complex, and random to reduce the attackers’ ability to brute-force them. Session invalidation should occur on the mobile app as well as on the server side to prevent HTTP manipulation tool attacks.

Follow Secure Coding Practices

Finally, your mobile app should follow best practices for secure coding, just as you would with web applications. Security should be incorporated from the start of the app’s design, with testing occurring throughout the development process. According to the Synopsys Cybersecurity Research Center (CyRC) ’s annual Open-Source Security and Risk Analysis (OSSRA) report for 2022, 78% of code in codebases was found to be open source, of those, 81% contained at least one vulnerability. Utilizing open-source code bases makes application development faster and easier but using them also opens the organization up to significant security risks. Using a mix of static application security testing (SAST) and dynamic application security testing (DAST) tools can help you identify vulnerabilities during and after production.

Some additional secure coding recommendations:

  • Take a default deny approach to data and enforce the principle of least privilege.
  • Validate inputs from all untrusted data sources.
  • Sanitize data sent to other systems.
  • Implement a system for monitoring and logging.
  • Keep it simple. Complex designs leave more room for vulnerabilities. The more things that the app can do that it doesn’t need to do, the more room there is for attackers to exploit these unnecessary functions.

Learn more about application vulnerability management in RH-ISAC’s post, Best Practices for Application Vulnerability Management.

RH-ISAC offers resources to help you improve your application security including access to a community of fellow retail and hospitality cybersecurity professionals. Check out this discussion post on runtime protections on RH-ISAC’s Member Exchange. Not an RH-ISAC member? Learn more about how being a part of the RH-ISAC’s member community can benefit you.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.