Smart Mobile devices are now increasingly been adopted by the consumers and in the enterprise leading to a number of organizations interested in custom development of mobile applications. Software vendors developing mobile applications are on most occasions feeling enormous pressure to meet extremely tight Go to Market timelines. This often leaves security neglected or compromised.
The trends already mention mobile apps taking a plight in the financial sector, with online banking, online trading apps. Security, although a prime driver for custom development, is one of the hardest aspects to get right. The industry is starting to see the security & privacy concerns in developing mobile applications. Initiatives and best practices are been released by groups like OWASP that have been addressing mobile security in a big way. There is a need to leverage the native security APIs of the platform, handle sensitive data with care, and choose the right data protection classes for the mobile application architecture. Let us make an attempt to look at few critical weaknesses you should be worried about while developing mobile applications.
Data Stored on Mobile Devices
In most mobile application designs, it is observed that the mobile device stores or caches some information. Due to limited constraints on the space availability on today's mobile devices architects go ahead and exercise this option. People often default to storing the sensitive information too in clear text. Mobile platforms like Android and iOS are susceptible to rooting or jail breaking, which gives users unrestricted access to the underlying file system. Using this root level access, malicious users or malicious applications can easily retrieve the sensitive information stored on the device.
Data security is another concern when in transit or stored. While choosing to store sensitive data on mobile devices, designers often employ encryption techniques. Few platforms like iOS do provide API's to encrypt data; however, these platforms are yet to get a strong key management technique or protocol. Android too provides APIs for cryptographic primitives, but no built-in protocol for key management. Designers may find themselves having to make decisions about what to use to generate keys, how to use them, and where to store them. Often they end up selecting a strong encryption algorithm, but choose a poor key management protocols. When you have weak cryptography design and keys are stored on the device, shared between users, or hardcoded, they do not provide adequate protection to the data.
Moving Substantial Business Logic Client Side
Designers tend to move a substantial amount of business logic to mobile devices unaware of it implications. When developing rich client applications, users are given direct access to a particular service, while maintaining a simple and attractive user experience. Incorporating business logic such as password re-verification can often lead to unexpected security issues. Like web based attacks, a malicious attacker could use a simple HTTP proxy that captures requests and responses and alter the response from the server to bypass security controls built in by the application’s logic.
Relying on Client Side Data Validation
In current business scenarios, users need to access enterprise applications both from the web and the mobile devices. Attackers have been abusing the weakness of client-side data validation in web since long time now. Data validation weakness has crept into application development in the mobile application space. Hackers can easily bypass client side data validation by using a proxy between the mobile app and the server.
There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets. Mobile application security is an easy target for attackers currently and you need to address security on priority.