1 April 2021
4 Tips for Better Mobile App Security
The number of mobile apps is growing daily, and the issues of mobile app security and privacy continue to intensify as a result. Security professionals are growing more and more worried that common web app security practices aren’t cutting it anymore.
While security professionals are busy scrutinizing the common mobile security practices and researchers are discovering new modes of attack, hardware security continues to become an even bigger problem. For instance, a Qualcomm Snapdragon security issue that’s basically unpatchable emerged in 2020, rendering almost half of all Android smartphones a security risk. There isn’t much you can do about these kinds of security risks, but you can still do everything that’s in your power to mitigate potential risks.
In this blog post, we’re going to take a look at the basic common practices that will get you started on securing your mobile app.
1. Securing your app’s source code
The source code of your app is your most treasured asset. Building a great app and leaving it for everyone to see, or even modify is not the greatest idea. Since most mobile apps keep most of the source code on the phone itself, it’s open to client-side auditing and this makes it dangerous to the integrity of your app.
Code obfuscation is a way of transforming your code into non-human-readable code while remaining fully functional. It completely modifies your source code but the output remains fully equivalent to the original, unobfuscated code. This is done to deter malicious actors from reverse-engineer your code, upping the security of your app.
One thing to keep in mind: obfuscation is not encryption. Encryption treats the data cryptographically to make it a secret, whereas code obfuscation does not make your code a secret, rather it makes your code mode difficult for humans to read it. Encrypted code needs to be decrypted first for execution, obfuscated code does not.
2. Securing your files and the database of your app
Not locking down your stored data or the data in transmission can lead to intrusions. If you’re storing sensitive user data, usernames, passwords, or other types of data unencrypted, you’re putting you and your users at risk.
For example, there has been an inordinate amount of data breaches that revealed companies have been storing their passwords in plain text. A notable example of this would be Sony, who caught storing user passwords for their online properties in plain text, and all it took was an attack using SQL injection in 2011.
You should always go for the tried-and-true methods of encryption. It is not advised to roll your own encryption solution as this is considered another weak link. If you’re not an expert in cryptography, it’s a safer bet on a publicly known open-source solution.
3. Static Application Security Testing (SAST)
SAST, or static analysis, is a testing methodology that scans your source code for security vulnerabilities that may leave your app open to security breaches. The analysis takes place before the source code is compiled.
Static Application Security Testing can be done very early on during development. Your app does not need to be fully working in order to be analyzed. This test helps developers spot security vulnerabilities before they’re too difficult to be ironed out, preventing the vulnerabilities from making it to the final release version of the app. It gives developers real-time feedback in the development life-cycle, so they can keep an eye out for any security issues from the very start.
4. Ensuring a safe log-in system
Once upon a time, a password was enough to log in to a website or an app, and nobody gave it a second thought. It was a simpler time. You had a username and a password, you typed them into their little boxes and you were in. But that time is long gone, and the traditional password is a bit long in the tooth. Passwords have become a security liability to both companies and users.
It is increasingly difficult to keep track of them. According to Nordpass, the average user has to juggle 70-80 passwords. There is no way users are going to memorize them all. In order to memorize their passwords, people resort to the equivalent of slipping their wallets to the toes of their shoes when they’re at the beach: they either use very easy to remember but easy to guess passwords or just use one strong password for multiple accounts, sometimes maybe both.
As we’ve discussed in an earlier post, the best solution to combat this is not using passwords at all. It’s up to the companies to secure the accounts of their users, as users generally too reckless or inattentive to the security of their accounts. Businesses have to rely on a different way of verifying their users. That’s why setting up a multi-factor authentication solution is a must in this day and age, because passwords don’t cut it anymore.
When deciding on an MFA solution, consider VerifyKit. VerifyKit’s solutions offer user verification very popular messaging app WhatsApp in addition to SMS, reducing your verification costs compared to traditional SMS and ensure a high success rate.
Mobile app security has become a top priority, especially now more than ever. The security of your users’ data and your company assets can’t be overstated. Some see it as a cat-and-mouse game, which to an extent it is, but with the measures we outlined here, you can up your security and protect both you and your users at the same time. It’s up to you, after all, to look after your users and your business.