Mobile App Security: In Search of the Silver Bullet
In October, 2016, the use of mobile devices to access the internet surpassedi that of desktop computers. Today, more than half of internet access is done with phones and tablets.
What, Me Worry?
Given this, you might assume that mobile apps would be designed with high levels of security or that security itself would be an utmost consideration in app design, but that’s not the case. In fact, the problem of security in mobile apps is enormous – and not new, either.
First the Breach, Then the Fix
As far back as 2014, Gartner predictedii that, by 2017, 75% of mobile security breaches would be due to a failure of what it called “app misconfiguration”.
A study by the Ponemon Institute in 2018 claims that a majority of organizations admit they don’t invest in app security until AFTER they’ve suffered a breach. No wonder the dollar value of the average security breachiii today is nearly 4 million dollars US.
Albert Lo, Senior Mobile Engineer with Optimus Information, says it’s a mistake for a developer to assume that web security tools can be applied to mobile apps. “You can’t lump them into the same bucket,” he says. “Mobile security has its own set of characteristics.”
Why Mobile Security is Different
Mobile apps also have their own unique security risks, Lo adds. Malware developers target mobile apps by first trying to “decompile” them. They change a few things so they can inject their own malware, recompile the app and sign a new security certificate that binds to the app, he says.
This is one of the chief security differences with web apps, that don’t need to sign a security certificate, and why different security strategies must be employed.
The best approach to securing a mobile app is in the design stage. “It’s really a mindset you need, that security should be part of the development process right from the start – especially when different frameworks are being considered.”
Choosing the Right Framework
Mobile apps often have a need for persistent data – user data or network data stored in a database, for example. Not all databases, however, are created equal and the choice will ultimately impact the app’s security features.
Albert Lo works with Android-based apps, which use a database called SQLite. The problem with this database is that it’s not secure, so an Android developer can reach for a framework known as Realmiv which comes with 256-bit encryption built in – but also demands up to 4MB of space for its database.
Others, like Google’s framework called Roomv, can also be used. Room provides an abstraction layer over SQLite to allow for more robust database access but it doesn’t support database encryption – unless a developer puts in extra work to build encryption support. Room’s database, as a result, is much smaller.
One tool that has proven very useful here at Optimus is Google SafetyNet. SafetyNet is an API that lets a user know if an app has been compromised or tampered with. It can run on the server side and perform checks in real time to determine whether the mobile app has been compromised.
Open Source Open to Risk?
Albert Lo says he’s often asked if an open source code base like Android doesn’t have inherent security risks. He maintains that because of its open source nature, Android can be constantly improved when those with security backgrounds scrutinize and review the OS code base, something that can only help the code base become better and more secure over time.
“But, using an open source OS like Android means you also have to immediately adopt standards and best practices to safeguard against security threats and attacks on user data,” Lo states. Once adopted, the OS developer ensures that the app is less vulnerable to attack.
No Simple Fix
At the end of the day, “there is no silver bullet or framework that will magically address all your security concerns and requirements. That’s just the way it is. Securing a mobile app is complex and there are different concerns to deal with. For those apps that don’t store credit card information or have a database, for example, there’s no concern about encrypting a database,” Lo says.
He often refers to the Open Web Application Security Project or OWASP for counsel. OWASPvi is an open community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.”
OWASP’s Top 10
Recently, OWASP published its Mobile Top 10, a list of potential app security issues with suggested workarounds. At Optimus, Albert Lo and his associates adopt a layered approach when it comes to security, using OWASP guidance to assist them in providing fortress-like security during app development.
Best Practices Work Best
Will there come a time when mobile apps are fully and permanently secure? That’s hard to say with certainty. Blockchain technology holds great promise but, by simply following best practices and standards right now, developers can go a long way in creating secure mobile apps.
Albert Lo says he’s an evangelist when it comes to promoting mobile security best practices.
“Security is ever-changing because there’s new technology and new best practices every year. Security is not static. There is always something to learn.”
Rely On Our Expertise
At Optimus Information, that learning, as Albert says, is ongoing. As a result, we are delivering top quality – and highly secure – mobile apps to our customers, every day.
We invite you to tap into our wealth of experience in the critical area of mobile security by calling us to discuss how we can assist you with your project.
More Resources:
i https://www.nowsecure.com/blog/2016/11/03/mobile-app-security-risks-could-cost-you/
ii https://www.gartner.com/newsroom/id/2753017
iii Newsroom IBM-Cost of Data Breach
iv https://realm.io/products/realm-database/
v https://developer.android.com/topic/libraries/architecture/room
vi https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project