close search bar

Sorry, not available in this language yet

close language selection

3 tips to ramp up your mobile application security

Explore 3 key mobile application security tips

Modern mobile device users often have their devices tightly integrated into daily life. From banking apps to social media feeds, these applications are high visibility targets for hackers and thieves looking to exploit weaknesses or hijack vulnerabilities. By ramping up mobile app security, vendors ensure the safety and security of their users and their infrastructure.

Recent mobile attacks and vulnerabilities

The latest high-profile mobile threat is the Broadpwn attack. This threat targets the Broadcom chipset used in many popular mobile devices. Broadpwn takes advantage of low-level communications combined with flaws in the Android platform. Thus, allowing a malicious payload to travel from one phone to the next virtually undetected. Fuzz testing tools are an ideal method of detecting this type of flaw.

Another recently discovered vulnerability is the Dirty Cow exploit. It is used to obtain system-level access on the Android platform. Using a known Linux kernel exploit (CVE-2016-5195), Android malware installed Trojans and backdoors onto mobile platforms. Thus, stealing sensitive user data and attacking installed application storage.

These vulnerabilities often take advantage of a mobile application’s weakest link: the operating system. Malware can watch the user’s screen and send snapshots of visible input fields. It can also read files normally reserved for the system to gather unprotected databases and certificates.

Once an operating system has been compromised, the application memory and data are no longer safe. They can be read without proper encryption. Root detection is often used as a stop-gap to prevent applications from launching in a hostile environment. However, this doesn’t protect data stored on the system or in memory.

Dedicated attackers often patch root detection and circumvent various security measures used to prevent a mobile application from detecting security changes. Mobile application security must incorporate protections that assume the operating system is not the only security measure preventing an attacker from stealing passwords or gathering credit cards.

Let’s explore three ways to avoid such vulnerabilities and potential attacks:

Tip #1: When developing in a hostile environment…

Developers can no longer depend on a secure, isolated environment when creating a mobile application. With today’s attacks targeting the operating system and underlying hardware inside of the platform, organizations must plan to create applications that protect not only from static analysis but also active attacks on the platform and network. Creating an application that can withstand these attacks requires several key factors:

  • Threat analysis and architecture review during all cycles of development.
  • Security training to prevent common developer mistakes.
  • Integrated security checks in continuous integration and deployment platforms.
  • Scheduled code reviews and penetration tests of both client and server applications.
  • Active monitoring of potential breaches and attacks on all communication channels used by the mobile app.

By following these key factors, today’s mobile application platforms stand a much better chance of protecting both the customers and vendors.

Tip #2: When integrating mobile application security into the SDLC….

The most challenging component of mobile application security is ensuring that guidelines are followed throughout the software development life cycle (SDLC). This requires diligence from the entire project team. Every member is responsible for ensuring they are following security best practices.

During the planning phase of the project, all members of the platform must be involved in actively integrating security into the platform. It’s important to have a head of security within the team to ensure everyone incorporates security into the design. When designing and developing the application, it’s also important to ensure that developers are practicing secure coding. Through training and tool assisted development, you can ensure developers don’t compile vulnerable code into the application.

Oftentimes companies with a separate quality assurance (QA) team leave penetration and security testing until after the implementation and verification phases of the SDLC. This results in testing at the end of the product’s life cycle. This also often corresponds to release dates and team commitments. Plan ahead. Integrate assessments and penetration tests of the mobile application platform during implementation and verification phases. This ensures the team isn’t rushing to fix issues in the eleventh hour before the delivery date.

It is also important to have security monitoring systems in place to monitor for attacks and breaches within the platform. Guidelines should be prepared in case a vulnerability is discovered in the platform itself. For example, a public exploit for a library or a vulnerable version of a web server. This requires a stringent guideline for:

  1. How quickly fixes must be issued.
  2. Stakeholders for each piece of the mobile application platform after it has reached the end of the SDLC timeline.
  3. How to keep track of these issues internally to ensure the same issues do not continually arise.

Tip #3: When decreasing risk to maximize reward…

Creating a mobile application platform has many risks, but the marketplace is thriving. In 2016, Apple had over 140 billion cumulative software downloads, making it one of the most successful software platforms in history. By integrating the key factors for security into the SDLC, mobile application platforms can not only protect themselves from hackers and thieves, but they can thrive in today’s market. By proactively integrating security into the entire process, a mobile application team can greatly decrease risk while maximizing reward.

Summing it up

Ramping up mobile application security by tightly integrating security into the SDLC doesn’t only ensure protection for the vendors. It also increases reputation and maximizes profits from the mobile marketplace.

Explore strategies designed specifically to address mobile’s unique security challenges.

Get started

Luke Arntson

Posted by

Luke Arntson

Luke Arntson

Luke Arntson is an associate principal consultant with 11 years of experience in a variety of roles including software engineer, front-end developer, and technical lead. Luke has worked with a number of Fortune 500 companies, including financial institutions, graphics card makers, and coffee distributors. At Synopsys, he has overseen and performed thick client assessments, web penetration tests, source code reviews, mobile assessments, hardware assessments, and manual ethical hacking tests of systems built from a few thousand lines of code to systems containing tens of millions of lines of code C/C++, Java, PHP, ASP.NET, and C#. Luke has an extensive background in Windows security and circumvention, including UAC and token passing techniques, binary reverse engineering, and security tool writing.

More from Security news and research