Handling Security risks in Mobile Apps

Security has become a very important aspect of Mobile apps which offer a level of convenience that the world has never known before. The mobile world has seen everything right from waiting up in the morning to the sleep at night. You can do most of your activities using mobile apps these days.

Since these activities contain finance operations like user’s credit card details, net banking and passwords, it has become a cautious affair.

When you use mobile apps, there are several risks involved and need to be taken care of. It is important for the user to understand them and protect ourselves and data. The risk is more for a company rather than for an individual. The risks are listed down below:

1. Improper Session Handling

Suppose you are making your bill payments and keep your mobile somewhere and go for some different work. Till the time you come back, a hacker might come in between and access your bank details which can be of big loss.

To prevent this, proper session handling should be done so that in the above use case, system detects that the user is inactive for a certain period of time and automatically logs out the user to close the session and thus, saves from intrusion.

2. Cryptography

There are numerous algorithms developed in the field of cryptography. These systems are constantly evolving and learning to stop the attacks.

Please ensure that whatever cryptography techniques are applied to your organization are stable and not broken as of yet. You can also verify the weakness in it using some tools and techniques with methods such as penetration testing, modelling etc.

3. Insecure Data Storage

Many of the users loose sensitive information because of the insecure data storage in the mobile devices. Some of them are as follows:

• Authentication Tokens
• Cookies
• Passwords
• GPS Location data
• Device UDID/EMEI
• Network Connection
• Already configured Credit/Debit card data in devices
• Application data such as cached/backup messages, logs, transaction histories etc..

4. Older Operating Systems

The security patches or fixes for mobile devices' operating systems are not always installed on mobile devices in a timely manner. This is not the fast process for all the mobile providers. This can take weeks to months before security updates are provided to consumers' devices.

There are also cases where the nature of the vulnerability is critical, the patching process may be complex and involve many parties in between which could be really fatal for the consumers. For example, Android developers updates to fix security vulnerabilities in the Android, but it is up to device manufacturers to produce a device-specific update incorporating the vulnerability fix, which can take time if there are proprietary modifications to the device's software. Once a manufacturer produces an update, it is up to each carrier to test it and transmit the updates to consumers' devices.

5. No limitation to the internet

Specifically, most of the mobile devices don't have firewalls to limit internet connections. When user connects to WiFi, it uses port for communication to connect to internet or with other connected devices. A hacker could access the mobile device through a insecure port.

If there is a firewall for these ports, then it secures them and allows the user to choose between connections from his device. If there is no firewall, then it calls for intrusion and intruder can get sensitive information and misuse it.

6. Side Channel Data Leakage

This strategy is different from the attacks we normally see like brute force or some weakness in the cryptography algorithms. In this, a hacker finds and analyzes the security flows in the data circulation process and find loopholes in it. This is also called as side channel attack.

7. Authentication and Authorization

All the apps installed on your decide should adhere to the best practices in terms of authorization and authentication. There are some buggy apps which constantly run scripts in background and should be identified and blocked. This ensures that devices, user and systems are authorized to transfer the data.

8. Client Side Injection

The applications for mobile operating systems like Android, iOS etc.. are client side apps which reside on the user handsets. An attacker can load some text based data and this could lead to syntax failure of the interpreter.

SQL injection can on client devices could lead to severe flaw more multiple user apps. There are some other injection points which are mainly created to overflow the application data and components. These can be avoided or limited because of the managed code protections of the app languages.