Smartphones and mobile applications are an essential part of our life. With mobile apps, we can play games, book a flight, socialize, and buy groceries. Recently mobile apps have made inroads into banking and financial sector, where confidential details are exchanged. A security breach in the mobile application can lead to data theft, IP theft, unauthorized access and fraud. From the business perspective imperfect mobile app security, it can lead to dissatisfied customers, revenue loss and eventually tarnished brand image.
Challenges in Mobile App Security
1. Device Fragmentation
Mobile application testing needs to cover a multiplicity of mobile devices with different capabilities, features, and limitations. Identification of security vulnerabilities specific to devices makes performance testing a difficult task. The testing team can’t test release as fast as the development team is producing them, so they are becoming a bottleneck in the release process. This also leads to the production of low-quality apps. Most of the apps are made in iOS, Android or Windows environment. But there are different versions of each Operating System (OS) which have a different set of vulnerabilities. Testing of the app on each version is time-consuming and requires application tester to be aware of the loopholes.
2. Tools for Mobile Automation Testing
A reasonable approach to fragmentation requires the use of automation testing. But Traditional testing tools like Selenium or QuickTest Professional (QTP) weren’t designed with cross-platform in mind. So automation tools for mobile app and web application are different. While many test automation and testing tools for mobile have emerged, there is a dearth of full-fledged standard tools that can cater to every step of the security testing. The common mobile automation testing tools are Appium, Robotium, and Ranorex.
3. Weak Encryptions
A mobile app can accept data from all kinds of sources. In the absence of sufficient encryption, attackers could modify inputs such as cookies and environment variables. Attackers can bypass the security when decisions on authentication and authorization are made based on the values of these inputs. Recently hackers targeted Starbucks mobile users to siphon money out of their Starbucks mobile app. Starbucks confirmed that its app was storing usernames, email addresses, and passwords in clear text. This allowed anyone with access to the phone to see passwords and usernames just by connecting the phone to a PC.
4. Weak Hosting controls
When creating their first mobile applications, businesses often expose server-side systems that were previously inaccessible to outside networks. The servers on which your app is hosted should have security measures to prevent unauthorized users from accessing data. This includes your own servers, and the servers of any third-party systems your app may be accessing. It’s important for the back-end services to be secured against malicious attacks. Thus, all APIs should be verified and proper security methods should be employed ensuring access to authorized personnel only.
5. Insecure Data Storage
In most of the popular apps consumers simply enter their passwords once when activating the payment portion of the app and use it again and again to make unlimited purchases without having to re-input their password or username. In such cases, user data should be secure and usernames, email addresses, and passwords should be encrypted. For example, in 2012 a flaw in Skype data security allowed hackers to open the Skype app and dial arbitrary phone numbers using a simple link in the contents of an email. Design apps in such a way that critical information such as contact details, passwords, and credit card numbers do not reside directly on a device. If they do, they must be stored securely.
Businesses should define standard secure practices during application development. Considering the following concerns, they can ensure security across every aspect of mobility operations:
- Data: How does the application fetch and display data?
- Network: How does the application access networks?
- Device: How vulnerable is the device to loss or theft?
- Application: How securely and effectively is the application coded?
Businesses should apply mobile strategy diligently make sure your mobile developers can think through unintended consequences of app design and security. Delivering an easy-to-use app will decrease the brand value if you put customer or enterprise data at risk.