Corporations today are leveraging mobile applications as tools for distributing relevant, critical data to their workforce, partners and customers. But with rapid advancement in mobile technology, ensuring the security of these mobile applications has become a crucial issue that every major enterprise must understand and address. After all, sensitive information stored on a lost or stolen device can lead to a data breach, compliance violations and expensive and embarrassing public disclosures.
Indeed, the productivity offered by mobile devices comes at the cost of increased security risk, as applications on those devices serve as yet another potential gateway to criminally infiltrate enterprise networks — enabling fraudsters and hackers to propagate malicious code.
Before delving into the details of the different risks posed and the best ways to mitigate them, let’s briefly talk statistics. Our readers might assume that the most popular applications on App Store and on Google Play Store are not vulnerable to these risks — unfortunately, they'd be wrong. The mobile security company NowSecure tested applications on these mobile stores and revealed that a staggering 85% of apps violate at least one of the top 10 risks. Of the available apps, 50% exhibit insecure data storage practices and a nearly equal percentage use insecure communication.
As the stats show, security is very clearly an ongoing problem, and with that in mind, we've developed a list of mobile application security best practices for developers.
Encrypt the data at all levels
While device-level security is imperative, it is generally a good practice to not rely exclusively on it. For optimal protection, it is essential that mobile enterprise data be encrypted at all levels, including at the file system, application, database access and device levels. For more details, refer to the National Insititute of Standards and Technology (NIST) guidelines.
Use strong encryption
It is important that all information is secured from end to end. Whether data is at rest on the device or in transit between the device and servers behind a firewall, every application's data must be securely encrypted.
Isolate application information
All application information accessible through mobile devices should be completely isolated from the data of the user. Isolating mobile application data requires creating a layer of protection around enterprise-deployed applications and securely separating corporate data from employee personal information and consumer applications. Generally, separating enterprise applications and data is a solution that increases employee satisfaction and productivity while ensuring compliance.
Enforce user-level application security policies
Application developers must be equipped with the task of ensuring that user-level application policies are defined and enforced by IT security administrators. Enabling remote wipe of application data after a failed number of incorrect passwords, disabling sequential numbers in passwords and necessitating special characters in passwords can all help to ensure that access to corporate applications and data is protected.
Ensure secure network access
In order to ensure robust network security, projects should minimize the requirement of opening inbound ports and exploring the network. The secure mobile application solution should exclusively serve encrypted packets, authenticating applications and granting access solely to those provisioned to specific servers and service, consequently preventing rogue attacks.
Secure the platform
The platform needs to be strictly controlled, which entails detecting jailbroken phones and restricting access to other services when required.
A strong authentication mechanism is of paramount importance in ensuring users are required to enter a secure password before they can launch the application in question. Multistep authentication on secured XML-based web services for user ID and password along with reliable ID/SMS is recommended. Another recommendation is to check the location of the user with the help of GPS during authentication.
Permit authorized users to access only the business functions they have a specific business need to access. Once a user has been authenticated, the application can check with the backend services to determine if they have the required access to the application data (i.e., whether the user is mobile-enabled or not). The client displays a secure navigation menu based on user permissions/access rights. These rights are verified against the background of each request before initiating business functions.
Sensitive data should only be stored in memory (and not on the hard drive) until needed and not on a file system through the application. Ensure that confidential information is not leaked through logs and error messages. The application cache manager must clear data when the application is running in the background.
All network traffic is encrypted and it is highly recommended that the HTTPS protocol is utilized to connect to backend applications. An additional whitelist of IP addresses and domain names should be maintained on the client side to prevent applications from connecting with other domains not specified on the whitelist.
OS security check
Detect if the application is running on a jailbroken/rooted/malware-infected device. A security check provides a score on OS security updates and malware detection — and based on that score, the application can be triggered to close the app. Alternatively, the score can be passed to the backend systems over a secured channel for further investigation and corresponding actions.