main banner

Mobile Development

Mobile Application Security

Through mobile devices millions of users are more productive, interacting with their world in more ways than ever before, and therefore, the creation of mobile applications has seen explosive growth in the last years. These applications have provided convenient access to personal information, emails, bank accounts, credit card data, and so on. Security risk associated with these applications can often be identified and mitigated.

Mobile applications expose users and their phones to a host of not-so traditional issues that simply didn’t exist a few years ago. Properly accounting for new threats and attacks requires the use of mobile-specific security assessment processes. Employing traditional penetration testing techniques and code review is insufficient to address the risks the mobile environment presents.

Identify and mitigate common security issues

Token-based authentication


Data access on mobile platforms generally requires some form of Internet‐facing service or data access point that can be communicated with via a mobile device.  Database servers and platforms in their current state are not good candidates for public exposure without additional layers of security that are generally not feasible or cost effective on mobile devices.  Web servers are generally more hardened to attack and, thus, web services are an excellent candidate for exposure outside the firewall to mobile devices over the Internet. But what about securing these web services? In most cases, the use of a web service API first requires authentication to ensure that the caller of the web services is who they say they are. Usually, web service API security will use a form of token‐based authentication – this could be something like OAuth or as simple as sessions built into any modern server‐side framework, such as ASP.NET or Ruby on Rails.

In the general workflow of token based authentication, the web service caller sends a username and password and then receives a unique token back after his/her identity has been verified by the authentication service. The token is then passed back to the web service on all subsequent requests and can be used on the server side to determine the identity of the user. Depending upon the security constraints of the application, the token generally expires after a certain period of inactivity.

Secure your stream


Regardless of the technology used to accomplish the token based authentication, all communication between the mobile client and the web server should be performed over an SSL‐secured connection in order to prevent the token from being captured via packet sniffing on a wireless connection or any other “man‐in‐the‐middle” attack. If the token were to be compromised by a third party, the third party would then be able to imitate the identity of the actual application user and would be able to make malicious requests, if inclined.

Sensitive local data


Another security issue inherent to mobile platforms is the security of data that exists locally on the device itself. Obviously, any mobile device can be compromised much easier than a server residing within a secure data center. If possible, confidential data should not be stored on the mobile device itself and should be stored instead on a back‐end server and downloaded to the device when necessary. If for architectural reasons confidential data must be stored on the device, then measures should be taken to encrypt the data with a key that is not stored on the device, if possible. Fortunately, mobile platform vendors are providing more and more support for automatically encrypted disk storage, which makes implementation of secure data storage on the device much easier.

Cryptography badly implemented

Some cryptographic algorithms, for example SHA1 and MD5, have proven to be inadequate for modern security requirements. However, there's no easier way to mismanage mobile encryption than for an development team use its own encryption algorithms or protocols.

Is strongly recommended to use modern algorithms that are accepted as strong by the security community, and whenever possible use state-of-the art encryption APIs within mobile platforms -- think AES with a 256-bit key for encryption and SHA-256 for hashing. If you're not sure about your cryptography, invest in manual analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

Conclusion

While mobile devices engage to greatly improve productivity, they also introduce a number of new risks that must be managed by enterprises. We hope that by explaining the security threats and the ecosystems these devices participate in, we’ve provided you, the reader, with the knowledge to more effectively derive value from these devices and also more effectively manage this risks they introduce.

Happy coding and cheers.

 

Fernando V.

Born in Sinaloa and former military, Fernando is a talented photographer and extreme sports fan; he is the type of guy who will bring the party with him whenever and wherever. He is part of our Mobile developer team and has a Computer Systems Engineering degree with 10 years of experience as software developer. He writes for the Inflection Point’s blog about really interesting topics that will give you insights regarding trending development subjects.

Articles