8 Best Practices for Improving Mobile Apps Security
Nowadays, Mobile app development has become a trend and people rely on mobile apps rather than a website. Technologies of mobile app development have evolved and there are quicker ways to develop mobile apps. If we dig up the history of mobile app development, people used to develop mobile apps in corresponding native languages, like Java for Android and Objective-C/Swift for iOS apps. Technology evolved and then came the era of Hybrid app development, where developers can code in one single language and they can create apps for both iOS & Android platforms. After certain old hybrid app development frameworks like Phonegap & ionic, a few new technologies and frameworks like React-Native & Flutter changed the face of hybrid app development.
So a new technology may disrupt another and apart from the fact of designing and developing it, the major factor that we have to consider in any technology is the SECURITY. What are those security aspects that we have to consider while developing an app using any technology. So here we are going to cover 8 major best practices for improving mobile apps securityirrespective of technology used to develop the app
1. Obfuscate your source code
Attackers can download the app from the store and they can decode the app’s source code using different tools. Especially for android, anyone can download the APK of your app, analyze it and see the manifest, assets, resources and classes of the app. If you have added any authentication token or any password which directly accesses your data, the attackers can use it to hack it.
So while developing your application, make sure that you didn’t hardcode any sensitive data in your resource files. Use appropriate code obfuscation tools based on your platform. Please refer Shrink, obfuscate, and optimize your app for more information.
2. Secure the local data storage
Be Careful, when you store your sensitive data to the filesystem. If your application stores any sensitive data to the filesystem, make sure that you have encrypted your data properly. A filesystem can be accessed by any application which has necessary permissions and can read the data if it is not encrypted well. Not only filesystem, it could be any data which is stored locally (eg: Local Database).
3. Secure authentication mechanisms
Application authentication mechanisms should be done in the backend. No authentication must happen locally. Especially a local 4 digit PIN or a Touch ID authentication which will give access to the critical information. An additional layer of authentication needs to be done with the backend. Make sure that your data communication has SSL to transfer sensitive information to the backend.
4. Secure account authorization
After a successful authentication, all backend API calls happening from a mobile application needs to be verified within the backend and handle the authorization properly. No APIs should be called without an authorization token and its validation. No critical administrator role change must happen from application. All privilege management must happen from the backend, so that the authorizations can be handled properly.
5. Pick the best cryptography techniques
Encrypting the data with any encryption algorithm doesn’t mean that your application is secure and safe. So you should not pick a weak or deprecated encryption algorithm. Some of the weak or otherwise insufficient for modern security requirements algorithms are MD4, MD5, SHA1 etc. So choose an algorithm or cryptographic standards which is strong enough to withstand for the next few years. Please refer NIST guidelines on recommended algorithms.
6. Avoid exposing critical admin features
In some cases, app developers will club both public end-user features and admin features into a single application. This will expose critical administrator features, API endpoints and other sensitive administrative access information. So it is highly recommended to split the critical admin related features into a separate application or service and access it separately.
7. Verification of Super user access or Jailbroken device
A mechanism to detect superuser access (android) and jailbroken phones is highly recommended to avoid unnecessary access to all the application data. This detection is highly recommended for those applications which have payments or banking related features.
8. Verify third party libraries used
While developing an application, it’s common that the developers may use third party libraries and services to make the work simpler and faster. But most of them will not check the integrity of the library that is being used. Developers need to go through the library and should find the security issues and other vulnerabilities. If there is any serious data leakage or vulnerabilities, your application also falls under the same vulnerabilities and issues.
So above are the 8 key best practices for improving security for your mobile application. Security is a big concern factor in all development processes and make sure that all the above points are covered in your application. In Synclovis Systems, we follow all these best practices and follow the guidelines, checklists and tools recommended by OWASP (Open Web Application Security Project).