App security is becoming a major software development trend in 2019.
In 2018-2019 the number of unauthorised access attempts and the prevalence of app-hacking are significantly increasing along with the growing volume of online purchases and the use of websites and mobile apps for private and business purposes. This disturbing statistic creates a growing demand for the development of more secure technologies, sophisticated authentication algorithms and data encryption methods.
In this article we discuss the key risks your app can face and how to mitigate them.
What is Cybersecurity?
Cybersecurity refers to the implementation of special measures to protectnetworks, systems and software applications from digital intrusion. Such attacks are aimed at obtaining access to confidential information, its destruction or modification, at soliciting money from users or at disrupting the normal operation of companies.
Professional software development must be implemented in compliance withinternational standards and security regulations. For the European market additional requirements concerningpersonal data protection were put in force in May 2018 (the GDPR).
Expert IT agency areas of competence include the following types of software security:
Technology Security
Technology security focuses on technological problems, such as:
Intrusion detection
Viruses, worms, crimeware
Network security
System hardening
Engineering and Encryption
Data Security
The main focus of data security is business problems:
Risk management
Intellectual property
Regulatory compliance
Business / financial integrity
Industrial espionage
Forensics and investigations
Privacy
Strategic Security
Profi-developers also take care of critical security problems, such as:
Intelligence
Terrorism and cybercrime
Strategies and tactics
Nation-state interests
Politics
App Security: Protect your Data from Cyber Attacks
When developing a mobile app, we take into account the data with which the application operates. The degree of value attached to data varies widely, demanding more sophisticated methods of secrecy to save from disclosureprivate user information, such asthe password to enter the appor personal phone numbers and email addresses. This is especially important in light of the spread of mobile apps in all areas of business, including banking and finance. Below we’ve collected examples of a variety of cyber attackswhich can be divided into several categories, allowing you to understand the key vulnerabilities of your software and how to safeguard them.
The Main Types of Attacks on Software
First of all, there are mobile software threats that are always up to date. Read more about them and use a checklist to make sure you have taken allmeasures to protect your corporate data.
In 2019 software security requires even greater attention thanks to such threats as:
App file decompilation (.apk-files for Android and .ipa-files for Apple iOS) and parsing of locally stored data. Protection at this most important level lies entirely on the shoulders of the mobile developer.
MITM-attacks (Interception of data transmitted over the network).Most mobile apps are client-server – therefore, they constantly transmit large amounts of data. And although modern web and mobile development is actively completing the transition to the HTTPS communication protocol, we don’t rely on a single protection line in the form of a secure communication channel but instead take other measures to guarantee the security of yourapp.
Device rutting and the attack on the app and algorithms used through external debugging tools.
How to Develop Secure Mobile Apps
There are several common points for all mobile platforms that our developers at Magora follow during the software and app creation.
User Code Protection
If an app is protected by a user password (fingerprint scan, PIN code, graphic password, etc.), when it goes into the background,an input window for this security code should be immediately displayed, overlapping the entire screen. This eliminates any opportunity for an attacker to obtain private information in case of theft of the device while the app is still running and in sleep mode.
Any user code should have a limited number of input attempts, after which, in case of failure, the program should automatically log out (or be completely blocked, depending on the particular application).
Currently, when using digital codes, it is strongly recommended to apply a code-length restriction of at least 6 digits (more is possible, fewer is not).
Operation of the Client-Server Application
For client-server apps we recommend using a session mechanism with a limited session lifetime. This will prevent the application from “idling” in an unprotected mode if the user simply forgets to close it and leaves the device freely available. One of the implementation examples of such a mechanism is to obtain the absolute value of the time from the server after passing through the user authorisation procedure (the time and date should show when the session will become inactive). The time and date of the end of the session should not be generated on the device, as this reduces the flexibility and security of the software.
The client-server application should not make changes to the critical user data in local mode. Any action that requires changes should be synchronised with the server. The only exception to this rule isthe user login code, which is set personally by the user and stored in secure local storage.
Working with Dates
When working with dates important for theoperation of the app, such as the time of the session, we never rely on the relative time. That is, the data transmitted from the server should not contain the date in the form of "plus N minutes / hours / days from the current moment". Due to the presence of potentially lengthy delays in data transmission over the network from the mobile app to the server and back, such a synchronisation method will result in too many errors. In addition, an attacker (or simply an unscrupulous user) can simply change the local belt on the device, thus violating the logic of the restrictive mechanisms. It is always necessary to transmit only the absolute time value.
Absolute values should be transmitted using universal methods of exchanging such information, without reference to the time zone of a specific user device. Most often, the best option is the software behaviourunder which the data is displayed to the user in its local time zonebutstored and transmitted in a format that is not tied to the time zone. Suitable formats for dates and times are either the universal UNIX timestamp stored in a 64-bit integer signed type variable (UNIX timestamp is the number of seconds since 1st January, 1970), or, in special cases, a string in the full ISO-8601 format with zero time zone. The UNIX time stamp is generally preferred, as it allows us to avoid potential problems and errors concerning the conversion of strings to dates and back on different mobile platforms.
5 Cybersecurity Hints for 2019
In custom development we manage to minimise software security risks. Here are our top 5 tips to build your app to be protected:
We never blindly trust open source libraries that offer some kind of protection for critical user data. Exceptions include time-tested libraries and frameworks used to speed up development in large enterprise projects.
We don’t use closed-source cryptographic libraries (even paid ones). Such solutions will not enable you to check how effective this library is, norhow "honest" its protection is (i.e. whether it has a backdoor mechanism to send the "protected" data to any third party).
In release builds, logging of data to the system console and unprotected files should be disabled. We build specific logs for developers, but usually in encrypted form, in order to avoid third-party access to proprietary information that logs may contain.
We carry out selection and coordination of the protection level, as well as the list of critical user data in the app, at the earliest design stages. Mobile sector vulnerabilities can be quite easily excluded from the software, and most often this does not introduce any special additional costs if started at the early stages of development. The post-factum introduction of protective measures into an already running application may well be associated with significant time, effort and cost.
We create app design so that the private user information is not displayed in large, bright, well-readable fonts, without the explicit need for it and a separate user request, in order to exclude the possibility of reading this data from a distance on the device’s screen.
At Magora we are always ready to answer your questions, implementvalidation ofthird party code or provide you with a software or app security audit. Get in touch with our team to create your secured bespoke software.
Grab your e-book: Development to attract more buyers
Let’s talk about your product
close
Get in touch
close
Thank you very much.
Your registration to the webinar on
the 27th of September at 2 p.m. BST
was successfuly completed. We will send you a reminder on the day before the event. Magora team
Registration for a webinar
"Let Smart Bots Speed up your Business"
Date: 27.09.2018 Time: 2 p.m. BST