Top Mobile Security Threats to Consider when developing an App

Top Mobile Security Threats to Consider when developing an App

As the demand for mobile apps and technology continues to rise, so do the security threats.  As we all just learned a few days ago, even the US government is vulnerable to it.

According to BBC:

Four million current and former federal employees, from nearly every government agency, might have had their personal information stolen by Chinese hackers, U.S. investigators said.

Although, we cannot prevent all security threats, we believe that everyone should have a plan in place to mitigate these.  Attacks that proved successful on PCs are now being targeted towards unwitting mobile devices, for now attackers are focussing on the weakest point of the chain, which is why I wanted to share the top Mobile Security threats and risks we have identified:

1)  Authentication and Authorization:  The apps and the systems these connect with should be properly protected with authorization and authentication methods. You should have a procedure in place to block un-authorized devices, users and scripts when identified

2)  Insecure Data Storage:  You should limit storage of data such as usernames, auth tokens, passwords, etc on the device, but if necessary have a plan to secure this information

3)  Client Side Injection:  Although there is software to help prevent this on the app side, attackers can send untrusted data through your system if it is vulnerable to injection, identify the sources of input and user validation before you deploy your app.

 4)  Security Decisions Via Untrusted Inputs:  Attackers can change any information request/customize inputs, you need to detect when these changes occur

5)  Side Channel Data Leakage:  This is an attack based on information gained from the physical implementation of a encryption system, rather than attacks through brute force or theoretical weaknesses in the algorithms

6)  Broken Cryptography:  Ensure that the cryptography you are employing is stable and has not yet been broken.

7)  Improper Session Handling:  Have you ever been in the middle of checking your bank account online when your attention is called away? You return to your computer to see a message like, “Session Timed Out – Please Login Again”.  Do you have a process in place like this for your mobile app?

8)  Insufficient Transport Layer Protection:  Again, there is software to help with this, but protecting data exchange as it travels across the network and the internet “threat agents” can use techniques to view sensitive data while it’s traveling across the wire

9)  Weak Server Side Controls:  The servers that your app is accessing should have security measures in place to prevent unauthorized users from accessing data (Internal and External Servers)

10)  Sensitive Information Disclosure:  Although this is not an app threat, ensure that your users understand the type of information that could be disclosed and at risk when using your app

BONUS  Insecure Data Storage:  The back end systems where your mobile data is stored should be secure, consult experts to determine the steps you should take to secure information such as usernames, location data, and other personal information.  Keep in mind that application logs can also be useful to hackers

Contact Us if you are interested in learning more about how we have helped our clients protect against these and many more mobile threats.