Mobile Application Security: Enterprise checklist

A guide by Jignesh Solanki“ Simform LLC- Mobility, Business intelligence and Internet of things(IoT).”

The ScenarioAccording to CIO Magazine, one-third of all iOS enterprise applications are vulnerable to attackers. The situation is even worse for Android. Cybersecurity threats are now evolving even faster along with emerging technologies like IoT; increasing the Cyber Security skill gap further.

“Android fragmentation turning devices into a toxic hellstew of vulnerabilities.” - Tim Cook

Some common security exploits:

➔ Malware applications on user’s device exploiting other mobile

applications

➔ Botnet attacks to extract user information and key strokes

➔ Vulnerabilities in servers, integrated browser, and third-party

libraries

➔ Weak authentication and authorization

➔ Hard-coded credentials and deployment in debugging mode

Last year, TeamViewer was a victim of such an attack, and, thousands of users reported that someone was trying to make a purchase with their credit cards. Fortunately, TeamViewer was able to recover their server within few hours.

That’s why…We created this exhaustive list of common security checklist, that you can use to reduce the number of vulnerabilities present in your application.

P.S. You can read more details about each checklist here: https://www.simform.com/mobile-application-security-data-vulnerabilities/

Evaluate open source codes or third party libraries for VulnerabilitiesOpen source is changing our world, speeding up development and deployment.

Recently, due to a third party code involved, more than 1400 vulnerabilities were introduced into ColdFusion’s Pyxis supply station.

We insist on keeping a security policy that any 3rd party or open source code being added has to go through exhaustive security testing.

Authorization using OAuth 2.0

Most enterprises fail to understand the usefulness of OAuth, and either go all

in or don’t use it all.

We recommend the implementation of oauth 2.0, along with real time

monitoring for implicit grant.

To improve the security further, utilize OpenID connect along with oauth 2.0.

OAuth 2.0: How does it work?

OAuth 2.0 + OpenID connect

OpenID token holds claims about the authenticated signed user. This lets

the server verify that the token was not tampered with, and was not issued

to some other user client.

Using Oauth 2 along with OpenID connect, v

“ Mosquitos aren’t the only pests to prepare for in Rio de Janeiro. Take precautions to protect your data and mobile applications.”

Prevent client side injection for mobile app securityUnder client side injection, attackers push malicious code in form of input, which then is consumed by the mobile application. This happens on account of weaker input validation and lack of mobile security testing policies.

To reduce the chances of a client side injection, as a basic guideline one should look into:

Data stored on the device

User sessions

Mobile application interfaces

Optimize data caching for application securityMobile devices often store cached data to enhance the app

performance, which makes it more vulnerable because attackers could

easily breach and decrypt the cache data to steal user’s account

information.

If the nature of data that your app stores is extremely sensitive, having

a passcode to access the application reduces vulnerabilities

associated with cached data.

Disable debugging before the releaseMany developers don’t turn off debugging when they deploy their application in product environments. Keeping debugging on in production environments allow attackers to gain access to critical parts of your application.

Turning off debugging mode is extremely simple, in fact, this, in reality, is just a deployment prep checklist, a developer can turn off debugging mode by:

Debuggable = ‘false’ in case of Android

PT_DENY_ATTACH in case of iOS applications

Protect sensitive information that application stores locally

While you may not be keeping patient records locally, but there’s a 90% chance that you store some information locally that can help an attacker gain access to almost anything.

Whether it is iOS or Android, your choice of local data storage implementation should be based on strict and thorough security considerations. In the case of Hybrid applications, things further complicate.

Keychain is one of the best ways to store data locally, but given no straight forward implementation, in a quicker go-to-market environment, it usually is ignored.

Enable remote data wipe

The capability to remotely wipe and lock sensitive data from a user’s

device gives an additional layer of security to enterprises. While there are

many existing tools that enable remotely wiping data, they have their own

pros and cons.

Consider the two cases:

Isolation of enterprise data from the user’s personal data in case of BYOD scenario

Data breaches in case of a stolen or lost device

To enable remote data wipe, enterprises use the following solutions depending on the device ownership models:

Factory data reset

Full device Wipe

Enterprise Device Wipe

Implement SSL/TLSThe network connection between the mobile application

and server, if not secured properly is prone to man-in-

the-middle-attack.

The validating authenticity of security certificates helps to

eliminate illegal access by attackers.

Always make sure that your application’s code

acknowledges valid security certifications, and blocks

any request with invalid self-signed-certificates.

Application sandbox

Preventing applications from accessing locked parts of memory that don’t belong to the application

Entitlements and permissions

Always limit the permissions required to run the application. Restricting access to unwanted devices features, ability to run in background will prevent attackers to access the app data.

Implement anti-tampering techniques

Tampering with your application has several benefits for the attackers:

Authentication bypass, geolocation falsification, stealing sensitive data and

many others.

It can then be leveraged to get access to offline documents, location

falsification, payment and medical related sensitive information.

Implementing run time security should be at the top of the priority list for

most enterprises building next generation mobility strategy especially for

those building consumer facing applications.

Disable App BackupAlmost all the devices back up all data automatically, and if you’d allow the Operating system to backup the application data. The chances are that an attacker could see or modify the application locally-stored data without having root or physical access to the device.

Restrict Devices to take App ScreenshotsAndroid OS have a tendency to automatically take screenshots of the applications to measure performance and report bugs.

To stop the device to expose the sensitive data, you need to set the “FLAG_SECURE” attribute or “android:excludeFromRecents” flag.

Thank you! Feel free to share your views in the comment section. For more details and updates on the enterprise mobility, security and scalability, subscribe to our blog here. https://simform.com