Ensuring app security is a basic necessity for app development and should not be just an afterthought. Cyberattacks on mobile devices have increased over the years with the growing popularity of web-enabled smartphones and tablet computers. As such, there is a clear need to actively protect apps from various types of web attacks. There is also a need to be dynamic with the kind of security measures to implement. The nature of attacks has changed so the techniques and strategies used in the past may no longer be as effective at present.
There is no perfect formula in addressing the evolving nature of web attacks on apps. However, the following pointers should serve as a useful guide in building a good enough level of protection:
1. Minimize User Inputs or Totally Eliminate Them
Text messages, images, and other media uploaded by app users are not a good idea if you are trying to keep your app secure. These uploadable contents or media can be used by a skilled hacker to explore and exploit vulnerabilities. Basically, if you are trying to accommodate user uploads or inputs, you have the responsibility to secure them. The more of these you accept, the more securing responsibility you will be obliging yourself to do. Moreover, it’s important to note how most of the cyber-attacks nowadays are anchored on deception and not on security flaws. Hence, limiting user inputs and reminding users in being cautious with their logins make a lot of sense.
2. Keep the Client or Installed App Dumb
Apps intended for smartphones or mobile devices don’t have to be so smart that they get to do so many things. It’s always safer to keep them dumb. In other words, they should do very minimal processing. In an interview with Ars Technica, Dan Kuykendall, the chief technology officer of security testing company NT objectives, shared that making an app store less data and do fewer processes is recommended. Data and processes are easier to sniff and exploit if they reside right within the device where the app is installed.
It’s advisable to use a well-defined API to connect the app installed on a device to an effectively secured backend that can take charge of the real instruction or information processing work. It is also very important to make sure that only legitimate users get to access an app’s backend. This can be done through prudent session management, strong access controls, and properly-defined interfaces capable of limiting accessible data..
3. Encrypt Traffic
All connections an app does online should be protected by Secure Socket Layer (SSL) encryption. However, SSL protection may not be enough. It does well when encrypting connections for web browser-like apps but it’s not as effective in protecting other types of apps that automatically reconnect to available open networks, including rogue devices that act as SSL proxies. There’s the need to limit the automatic online connections of an app especially those involving automatic updates, file transfers, and synchronizations.
4. Anticipate the Potential Attacks and Vulnerabilities that Will Be Exploited
It will be helpful to review the Open Web Application Security Project (OWASP) list to be acquainted with the leading vulnerabilities hounding web applications. Threats vary and evolve over time so it helps knowing how they have advanced to be able to prepare for them. There are many free application security tutorials available online so be sure to make use of them.
5. Don’t Write Your Own Security Controls
Jerry Hoff of the code analysis division of WhiteHat Security says that it is not advisable to write your own security controls since you will likely fail. Hoff says that someone who is not involved in studying security 24/7 does not have enough of the competence and experience to come up with proper security measures. It is preferable to rely on security controls that have been tried and tested in actual use, and regularly updated by people in the know.
6. Be Consistent in Applying Security Controls
In most cases, attackers only need one security vulnerability to exploit an app’s weakness and get through the security controls in place. That’s why it’s very important to be consistent. Different developers have different approaches in ensuring security. There are different ways of handling security controls but what is important is to have consistency. Inconsistency leads to loopholes or small defects that can be exploited.
7. Perform Code Analysis or Program Audit
Code analysis refers to the process of evaluating the behavior of computer programs. Of course, every formally trained app developer knows this but for the sake of those who are self-taught, it’s worth pointing this out. There are two main approaches in program or app code analysis: static and dynamic code analysis. Static code analysis means the evaluation of an app without actually executing it, usually performed on a version of the source code. Static code analysis can be performed by an automated tool. Dynamic code analysis, on the other hand, involves the actual execution of the app using a real or virtual processor. Naturally, dynamic code analysis is more tedious and time-consuming. However, as to which approach is better, dynamic code analysis or static analysis, the answer depends on need or preference.
These are just general pointers worth remembering. As mentioned, the nature of web attacks on apps changes over time. The goal here is to look at the bigger picture and be dynamic in addressing threats instead of focusing on the specifics.