3 Common Security Mistakes Mobile App Developers Make and How to Fix Them
Following our blogpost last week about Brute Force vulnerability that affects over 600 million smartphones, we asked IT Security Researcher, Francesco Stillavato, about his thoughts on common security mistakes that mobile application developers make and how to fix them.
Security is a very important feature and should not be taken for granted when developing mobile apps. You don’t want your client user data to simply be captured by hackers. Aside from data that is lost, your reputation as developer is at stake. Here are the 3 common security errors shared by Francesco.
How to Fix Common Mobile Security Mistakes
1. Issue: Weak Server Side Control
All applications, somehow, interact with remote/online services. The most common error developers make is to trust their own application data. You should always think that hackers have complete access to their own mobile phone and installed applications. This means that every input or data received, even if it comes from your application, cannot be trusted and should be checked and sanitized.
Fix: Never trust inputs to a backend API service even if they come from your application. Attackers can easily alter the communication and craft malicious payloads. Apply correct sanitization and controls to every data received
2. Issue: Insecure Data Storage
What happens if an attacker can physically (or not) access a device with your application in it. Is he/she able to gather sensitive information? Is this sensitive information for your customers/clients? Think about it when you develop your application.
Fix: If you really need to store sensitive data on the phone, you should encrypt it.
3. Issue: Hardcoded Information
This is very important if you consider issue #2. Never hardcode information in your application. If an attacker reverse engineer your application (for some mobile application it is very easy to reverse it), he/she will find every piece of code and data in it. So if you encrypt something, but you hardcode the key or the security token, the attacker can easily decrypt it!
Fix: Do not hardcode information that can be used against you or your clients. If it is necessary, you should use Mobile OS security features to encrypt data
There are many security mistakes you can face if you inspect a mobile application, but for me, these are the three that stands out the most. To mobile developers, please make sure to keep your apps secure. A well-functioning app is good, more so when it is well-protected and secure.
Want to Pentest Mobile Apps?
Learn to pentest mobile apps and code securely! If you’re a mobile developer, it is important to develop apps while keeping security in mind. Understand the techniques to prevent these common attacks from happening. Get started with the Mobile Application Security and Penetration Testing Course for FREE here: MASPT FREE Trial
Francesco Stillavato is a Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance.