In the current era of mobility, Mobile Applications have grown into a powerful platform of productivity and fun. Mobile apps have turned into an incredibly amazing tool for users, for everything including shopping, entertainment, education, and healthcare too. It is making our lives a lot easier, is not it?
But to achieve all this, apps rely on user’s data which can be personal like contacts and photos and also can be risky to share like financial or payment information. And that creates the flip side of the story – on one hand where Mobile apps are offering the convenience to us, they are becoming the potential target for hacking. Hackers and crackers are working hard daily to use these apps for phishing the user data or for installing the malware.
Lets see few facts which show how this mobile ecosystem has become the favorite of the dark world of hacking:
- In a survey done on 14,000 apps (source – Veracode), 85% exposed personal data such as phone location, call history and SMS Logs. 35% of apps shared sensitive information to suspicious locations
- 97% of top paid Android apps and 87% of top paid iOS apps are hacked (source – Arxan Technologies )
Hence it is evident that security is one of the most important factor which needs to be considered while app development and that is where Secure Coding comes in.
Secure coding is the way of writing apps in such a way that user’s data can be protected from being compromised. It also ensures that hacker cannot take control which could result in leak of data, loss of services or damage to the user systems.
Although there is no checklist for securing all the apps. Like each app has its own scope and requirement, each has its own security needs.
For example, while developing an alarm app, developer might not need to have too much of security considerations but while developing a social networking app which takes users’ personal data security measures would need to be considered significantly. On this scale, a finance-related app which sends the sensitive payment information to servers will have to take more strict security measures like securing app, securing transmissions of data as well as securing the servers.
So before actually coming out with what are actually the security norms to be followed during app development, developers should know what could be the attack points in their apps. Let’s see a few of the potential attack points in the app:-
- App to server data transmission to get credentials of the app and to external services like banking
- Application Data
- Cache files
- Reverse engineering to get embedded credentials
- Malware installation and bots (Android and JailBroken iPhones)
Now lets go through EIGHT major guidelines and norms to be followed for Secure Coding
Securing Storage of Data
Unsafe storage of data is one of the greatest threats for apps.
One such example of carelessness was the Starbucks app. They stored usernames, email id, and passwords in plain text format. This was done to make the purchases easier by not asking the username and password every time but without encryption, it was easily available for hackers to misuse the personal data.
It is essential to classify the data storage according to sensitivity in the design phase itself and apply the controls accordingly.
- If you create credentials for users, create them securely. For e.g. a short numeric string can be used to authenticate in a gaming app but its not safe for a finance or purchase related app. So proper password input validations should be added
- Do not store sensitive data on device, try to send it to server ensuring safe transmission and safe server storage
- If its necessary to store the data on client side, use proper encryptions like AES available for both iOS and android
- Store in a secure area like Keychain Access for iPhone. For Android use Internal Storage Protection
- Android – Avoid the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes because they do not provide the ability to limit data access to particular applications
- Do not store in shared storage or cache directories which are easily readable.
- For sensitive personal data, only retain till it is required. Deletion procedures should be scheduled to remove the data as soon as it is no longer required.
- Do not store any password or secrets in application binary rather use runtime generated secrets like bundle identifier for iOS and play store identifier for Android
Securing Handling and Transmission of Data
- Instead of password, authorizations tokens should be used which can be expired at certain intervals. Latest version of authorizations should be used like OAuth 2.0
- Apps should ensure the use of end to end secure channel like SSL/TLS while transmitting the secure data.
- Use certificates signed by trusted CA providers. Self signed certificates should not be allowed.
- Use native SSL libraries rather than third party implementations like HeartBleed.
- Us mutual SSL authentication with server so that it can be confirmed that your app is actually connecting to the server intended
- Do not allow open ended connections in apps. On iOS, you can define in info.plist which server should be allowed to connect.
User Session Management
- While users are creating passwords, it would be good to show the strength to the users so that they can create strong passwords
- After authentication, pass tokens in all the subsequent server requests to avoid unsecured access to web services
- Use strong session identifiers. For e.g.. we currently use a combination of date and time. Adding phone’s accelerometer values and other sensor values and encrypting the combination can be used
- Add additional security measures where possible, for eg iOS fingerprint technology can be used to validate the transactions on the app
- Add additional factors to the security model, like IP address or location. For e.g.. – an app feature can be restricted to a particular location or IP address
Using Code from Other Developers
Reinventing the wheel is always considered bad. If the free code exists to achieve a functionality why not use it , but again there is another side to this. Hackers create free codes so that app developers use it and then they get access to all the data which can be tampered with.
- Confirm the authenticity of third-party frameworks before actually using them in your application
- Track and validate all the data being sent to and received from third-party libraries before processing within the application
If the backend is not hardened it would create the path for hackers to get access to the data sent from the app and all the security measures take on app and transmission would go in vain.
- All the REST services should be tested periodically for security threats
- Ensure that the backend platform is running with a hardened configuration and latest security patches are applied to the sever
- Maintain logs on the server to see incidents possessing threats to server so that necessary actions can be taken
Data minimization is an essential part of security. Don’t collect or keep data you don’t need. Taking unnecessary data and storing it would increase the liability of securing it.
For example, if you are working on a photo-editing app, you won’t need user’s contact info or location information.
- In simple words, data you don’t collect is the data you need not do anything for protecting
- Android – While creating the permissions try for signature protection level, as those permissions are only accessible by apps signed by same developer
- Remove the data as soon as you no longer need it. For e.g.. if you required location data to verify the authenticity of a user, do not store it. Use, verify and destroy the location update data immediately.
- Only declare permissions that you actually need and use in the app.Do not just copy a permissions list from a generic app.
A tester is a line of control for the security of an app. Once the app go past the development, it must be ensured by the tester that it is actually secure, else it would be putting a large user base data at risk.
- Test every aspect of the app for security like GPS, camera, payment system, etc
- Remove debug logs from your app. This is the first place where hackers look for vulnerabilities
- Mobile application should be properly tested to prevent reverse engineering. Due to this mobile application can reveal sensitive user data like password, credit card information. Developer should avoid hardcode sensitive data.
- Static analysis and code review covers the analysis of the application code and coding defects. The code of the application is analyzed using static analyzers. The code is reviewed manually and checked for vulnerabilities that may arise due to poor coding practices. With static analysis, the business logic and the security of the application are covered.
Hackers are faster than you. They keep looking for apps that don’t release security updates and try to look for vulnerabilities in them with coming or newly released OS versions.
Revisit your app often to perform security updates. Stay involved in your app even after it goes live as new security threats arise daily.
Add a mechanism for user feedback. User feedback can also help you discovering security vulnerabilities so that patches can be made.