Mobile App Security: In Search of the Silver Bullet
In October, 2016, the use of mobile devices to access the internet surpassedi that of desktop computers. Today, more than half of internet access is done with phones and tablets.
What, Me Worry?
Given this, you might assume that mobile apps would be designed with high levels of security or that security itself would be an utmost consideration in app design, but thatās not the case. In fact, the problem of security in mobile apps is enormous ā and not new, either.
First the Breach, Then the Fix
As far back as 2014, Gartner predictedii that, by 2017, 75% of mobile security breaches would be due to a failure of what it called āapp misconfigurationā.
A study by the Ponemon Institute in 2018 claims that a majority of organizations admit they donāt invest in app security until AFTER theyāve suffered a breach. No wonder the dollar value of the average security breachiii today is nearly 4 million dollars US.
Albert Lo, Senior Mobile Engineer with Optimus Information, says itās a mistake for a developer to assume that web security tools can be applied to mobile apps. āYou canāt lump them into the same bucket,ā he says. āMobile security has its own set of characteristics.ā
Why Mobile Security is Different
Mobile apps also have their own unique security risks, Lo adds. Malware developers target mobile apps by first trying to ādecompileā them. They change a few things so they can inject their own malware, recompile the app and sign a new security certificate that binds to the app, he says.
This is one of the chief security differences with web apps, that donāt need to sign a security certificate, and why different security strategies must be employed.
The best approach to securing a mobile app is in the design stage. āItās really a mindset you need, that security should be part of the development process right from the start ā especially when different frameworks are being considered.ā
Choosing the Right Framework
Mobile apps often have a need for persistent data ā user data or network data stored in a database, for example. Not all databases, however, are created equal and the choice will ultimately impact the appās security features.
Albert Lo works with Android-based apps, which use a database called SQLite. The problem with this database is that itās not secure, so an Android developer can reach for a framework known as Realmiv which comes with 256-bit encryption built in ā but also demands up to 4MB of space for its database.
Others, like Googleās framework called Roomv, can also be used. Room provides an abstraction layer over SQLite to allow for more robust database access but it doesnāt support database encryption ā unless a developer puts in extra work to build encryption support. Roomās database, as a result, is much smaller.
One tool that has proven very useful here at Optimus is Google SafetyNet. SafetyNet is an API that lets a user know if an app has been compromised or tampered with. It can run on the server side and perform checks in real time to determine whether the mobile app has been compromised.
Open Source Open to Risk?
Albert Lo says heās often asked if an open source code base like Android doesnāt have inherent security risks. He maintains that because of its open source nature, Android can be constantly improved when those with security backgrounds scrutinize and review the OS code base, something that can only help the code base become better and more secure over time.
āBut, using an open source OS like Android means you also have to immediately adopt standards and best practices to safeguard against security threats and attacks on user data,ā Lo states. Once adopted, the OS developer ensures that the app is less vulnerable to attack.
No Simple Fix
At the end of the day, āthere is no silver bullet or framework that will magically address all your security concerns and requirements. Thatās just the way it is. Securing a mobile app is complex and there are different concerns to deal with. For those apps that donāt store credit card information or have a database, for example, thereās no concern about encrypting a database,ā Lo says.
He often refers to the Open Web Application Security Project or OWASP for counsel. OWASPvi is an open community ādedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.ā
OWASPās Top 10
Recently, OWASP published its Mobile Top 10, a list of potential app security issues with suggested workarounds. At Optimus, Albert Lo and his associates adopt a layered approach when it comes to security, using OWASP guidance to assist them in providing fortress-like security during app development.
Best Practices Work Best
Will there come a time when mobile apps are fully and permanently secure? Thatās hard to say with certainty. Blockchain technology holds great promise but, by simply following best practices and standards right now, developers can go a long way in creating secure mobile apps.
Albert Lo says heās an evangelist when it comes to promoting mobile security best practices.
āSecurity is ever-changing because thereās new technology and new best practices every year. Security is not static. There is always something to learn.ā
Rely On Our Expertise
At Optimus Information, that learning, as Albert says, is ongoing. As a result, we are delivering top quality ā and highly secure – mobile apps to our customers, every day.
We invite you to tap into our wealth of experience in the critical area of mobile security by calling us to discuss how we can assist you with your project.
More Resources:
i https://www.nowsecure.com/blog/2016/11/03/mobile-app-security-risks-could-cost-you/
ii https://www.gartner.com/newsroom/id/2753017
iii Newsroom IBM-Cost of Data Breach
iv https://realm.io/products/realm-database/
v https://developer.android.com/topic/libraries/architecture/room
vi https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project
