Mobile app developers must have a thorough understanding of the mobile attack surface to protect organizations from threats. Across this surface devs and security professionals must contend with a host of security and privacy challenges that occur within applications, network connections, storage locations and hundreds of devices each with their own firmware. To reduce risk, mobile app developers and DevSecOps must understand important differences in Mobile vs. Web App Security and Privacy.
The mobile attack surface operates as the sum of different points of entry where an unauthorized user can enter or extract data from a mobile device. In this environment, mobile app developers can accidentally make any number of mistakes, and threat actors can exploit them to reverse engineer an app, take control of a remote device and even steal valuable data. To reduce risk across the mobile attack surface, mobile app developers and security analysts must seek out automated testing tools that assess app binaries using a mix of static, dynamic, and interactive testing methods.
The larger the attack surface, the more insecure a system becomes. Mobile applications often traverse many networks and interact with systems owned and operated by many parties to accomplish their intended goals. Developing mobile apps requires consideration of the limitations and features of devices and the unique network connections that make true mobility possible.
Consider these four important points to develop high-quality mobile applications, while keeping security in mind:
Adopt an attacker’s mindset.
When creating a mobile app, developers approach from a builder’s perspective; they consider the mobile app installed, the operating system for the software, and whether the hardware runs on a phone or a tablet. Attackers think beyond the obvious, and look for vulnerabilities in the app that avoid or reduce detection. Threat actors may use one or many attack vectors to achieve their nefarious goals. Threat modeling can help security teams think like an attacker and can reveal potential attack vectors and effects.
Common attack vectors include phishing, man-in-the-middle attacks, and weak/compromised credentials. However, there are other areas of risk mobile developers can’t control. A stolen device can expose the victim's data through both simple and sophisticated data recovery techniques. Alternatively, a device may be outdated, jailbroken or otherwise compromised.
Focus on what the security team can control.
It's more important for developers and security teams to focus on the tasks that are necessary and they can control from within the mobile app. Developers and security can’t control other applications installed on the device, which are potentially malicious, fake or market data apps made to collect data from a user's device. Developers and security can’t control if the device connects to unsecured Wi-Fi, malicious USB chargers, or infected peripherals.
Developers do have control over code functionality, the data they can write to the device from the app or data at rest, and the data communicated from the device by the app or data in motion. By partnering to focus on these alone, developers and security teams can reduce the attack surface.
Gaps in security and privacy lurk deep in every application. Think of the code itself as the first line of defense, the one best controlled by DevSecOps. Potential security and privacy gaps in code functionality include escalated privileges, configuration manipulation, and insecure third-party libraries.
Secure data at rest and in motion.
Developers should make sure that their apps protect user privacy, sensitive data and confidential business materials. It’s then critical to maintain secure data storage, otherwise apps can leak data and incur fines for failing to comply with regulatory standards such as GDPR or HIPAA. These compliance incidents also damage brand reputations and customer trust.
Android and iOS mobile apps both can store data on the device itself (data at rest). Cached incorrectly or with weak encryption, data at rest can expose passwords, account details or other sensitive data. Data in motion refers to data transported between the app and host over the internet. Unsecured network communications can lead to man-in-the-middle attacks and data interception.
DevSecOps can control data at rest and in motion. Teams must perform mobile application security testing prior to every release to assure data integrity.
Follow best practices.
Contending with the risks inherent in the mobile attack surface requires an open and inquisitive mind. Mobile app developers and security teams should find out if the app requires certain privileges, such as access to contacts, or question how the app stores data or sends information to a server.
Developers and security teams must fully visualize the entire ecosystem of an enterprise and map all devices, paths and networks. They must think like their adversaries, and focus on tasks they can control, namely code functionality, and data at rest and data in motion. Most importantly, DevSecOps should become students of security standards developed by the Open Web Application Security Project (OWASP) such as OWASP Mobile Top 10 and OWASP Mobile Application Security Verification Standards (MASVS).
Android and iOS developers can learn secure coding practices via NowSecure Academy. We offer NowSecure Academy as a free training and paid certification resource to upskill developers, architects, QA, and security teams.
Brian C. Reed, chief mobility officer, NowSecure