Integrity, performance and security are the key parameters users look for when they use any smart phone app. For creating a power packed performing mobile solution it becomes important to meet all these expectations besides overcoming limitations of a medium. Design plays a crucial role to attract, encourage and explore a platform, but for a retained usership security takes a prime spot these days in view of ever increasing cyber threats.
There exists a host of security concerns while developing any solution, like: Is the mobile app protected against various attacks? Is the data safe? Is there a possibility of database pollution? Is there any possibility for an attacker to gain unauthorized access to restricted parts of sites? Until we are careful about the codes written, these threats are likely to prevail with all probabilities. Let us have a look at some key issues that must be taken care while working on design and development of mobile solutions to avert such risks.
Crafting a mobile solution calls for thoughtful approach in many regards. Typically data storage in these devices must be kept at its minimum. However, whatever data is required to be saved must be carefully chosen and be protected appropriately. Here is a set of some quick set of guidelines referred at Galaxy Weblinks:
For iOS Apps:
- Storing credentials on phone file system is best avoided and session timeouts too must be minimized. In cases where caching of information becomes necessary, it is advisable to use standard iOS encryption library. And where sensitive apps are being run then consider using whitebox cryptograghy solutions.
- Using Apple keychain API for small amounts of data remains safe until the instrument is jailbroken. Ones done so, the keychain can be easily read. Apart from this there remains a threat of bruteforce as well.
- Always ensure that a strong PIN code with a strength of atleast 4 characters which are alphanumeric in nature, is enforced for enterprise managed mobile phones.
- Apple’s file protection mechanism can be leveraged for general types of consumer grade data. Do not rely on hard coded encryption or decryption keys for storing unencrypted database file.
- For storage of sensitive information relying completely on hardcoded encryption or decryption keys must be avoided.
- It is recommended to provide an additional layer of encryption always beyond any default layer of operation system.
For Android Apps:
- Always consider providing more layer of encryption beyond default encryption mechanism.
- While saving sensitive information, do not always rely on hard coded encryption or decryption keys.
- Usage of ‘javax.crypto’ library can let you secure SD card storage. An easier way to do this, is to encrypt plain text data with master password and AES 128.
- For equio the app security further, ensure that shared preferences property are NOT MODE_WORLD_READABLE until it is explicitly required for data sharing between apps.
SERVER SIDE CONTROL
This element plays a definitive role. When a user operates the platform a strong server side control ensures that the platforms meets the desired purpose and turns out safe and secure in the long run. In order to make sure that server side controls are strong enough, secure configuration practices must be adopted right at the development stage. Such practices can include:
- Validation of input from all untrusted data sources.
- Keep a simple design. With complicated designs the probability of errors shoots up and same goes with effort to achieve implement security measures in place.
- Practice QA rigorously. Adopting good techniques to vouch the code development helps in identifying and defying threats and loopholes strongly. Implementing source code audits, fuzz and penetration testing methods leads to secure systems and solutions.
- Always apply a secure coding standard.
- Create a multiple strategy and manage risks in a planned way always so that in case one layer turns out to be inadequate the second one exists always to protect the systems.
- Offer access based on permission rather than exclusion.
- Design and develop solution for security policies.
TRANSPORT LAYER PROTECTION
For a foolproof system to exist and function the developer must shield platform threats from all directions in each possible way. One such measure is to be equipped with strong transport layer protection. Here are few practices to prevent it:
- SSL /TLS must be applied to all transport channels that shall be used to transmit sensitive information to a backend API.
- Apply strong and standard cipher suites,
- Always demand for SSL chain verification.
- Notify users if mobile app detects an invalid certificate.
- A secure connection must be established only after verifying the identity of the endpoint server using trusted certificates.
- Avoid mixed SSL sessions. This exposes risk of exposing session IDs.
At Galaxy Weblinks, we believe that security holds the prime spot with a principle that productivity must not be at the cost of security. The above mentioned provides a set of elements for vetting the security of mobile platforms for developers. In the upcoming blogs we would more such ways to ensure your apps and solutions are foolproof.