In 2017, 95.1 million people are predicted to make at least one online purchase via their smartphone. This represents a staggering $75.51 billion in retail m-commerce sales.
Combine that with the fact that 39% of adults are using mobile banking, you’ll begin to understand why hacking vulnerable mobile applications has become ever so tempting for digital thieves.
Hewlett Packard Enterprises’ recent study discovered that 75% mobile apps are vulnerable to cyber-attacks.
Malicious apps aside, many legitimate apps have several flaws attackers can easily exploit. With the advent of countless tools, developing mobile apps has become very easy which is what most developers look for. Seldom do these developers think of integrating security protocols and best practices into their apps.
Any brand worth its salt knows that when their users’ sensitive data is compromised because of an attack on their application, no matter who the perpetrators are, it will ultimately be the brand that gets the blame.
Executive Editor of CSO magazine, Scott Berinato, very astutely summarized, “In the event of cybercrimes, victims will look for someone to be held responsible, and it will not be the hackers but the brands that the victims trusted to protect them.”
If you’re a conscientious brand that knows the importance of customer trust, then you need to invest in an app development partner that always creates secure mobile app solutions.
3 Practices to Reduce Your App’s Security Vulnerabilities
In today’s world, undue emphasis is given to app design and functionality. Of course, design and functionality are important, but in this era of sophisticated cybercrimes, app security has become paramount.
What most developers don’t realize is that they can significantly reduce the vulnerabilities in their apps simply by integrating a few optimal changes in their code.
Here are a few ways you can optimize your code and provide layers of security to the app:
1. Use Obfuscation Techniques to Increase Code Complexity:
Attackers gain valuable insights into the app, like bypassing authentication and policy checks, by reverse engineering them. Obscuring the code i.e. obfuscation, can make it difficult for attackers to peek into the operations of the app. Thus, reducing the number of attack vectors.
These techniques can’t outright “stop” an attacker, but they can make it very difficult for them to gain a foothold into the app that they can exploit. While they will be enough to hinder low-level attackers; attackers with a higher skill level will be able to go through them. That being said, it will take even high level attackers a considerable amount of time and effort to circumvent these layers.
The time it takes them to mount their attack and gain access, will be ample warning for your developers to take action and counter the attacks. Here are a few obfuscation techniques every developer should employ:
Reduce Runtime Manipulations – Increase the code complexity of an iOS app by using C/C++ libraries, easily integrated with Objective C and reduce the chances of runtime manipulations. On the other hand, using JNI to call libraries in other programming languages for Android apps is not recommended.
Restrict Debugger – Use specific system calls to prevent the operating system from allowing debuggers to attach to processes. This limits an attacker’s ability to interfere with low-level runtime. Android apps should set
android:debuggable="false" in the manifest, while an iOS app can implement
Trace Checks – Apps can warn if it’s being tracked by debuggers/debugger tools. In such instances apps can trigger counter attacks like notifying the server administrator or discard encryption keys. Methods to perform trace checks:
Monitor process status flags
Compare Ptrace attack return values
Check parent processes
Compare program timestamps
Compiler Optimizations – Use compiler optimizations to cloak complex logics and advanced mathematical computations by obfuscating the object code.
Stripping Binaries – You can make it all that more difficult for an attacker to view your app’s low-level functions by stripping the native binaries. Stripping binaries removes debugging information, making it tough for an attacker to reverse engineer an app.
2. Avoid Using Simple Logic:
The simpler the logic tests used in the app, the more prone to attacks the app will be. If an attacker succeeds in changing one value in a logic test, he can get around the security protocols. Writing the code in a better programming paradigm can:
Help a server enforce privileges when a session is untrusted.
Prevent specified data from being decrypted
Protect data until the session is deemed trusted, using forms of authentication
Help state all sanity check functions static inline (this makes functions more difficult to patch)
Also Read : Top 3 Security Challenges to Enterprise Mobility
3. Use Anti-Tamper Techniques:
These techniques can thwart the attacker’s attempts to reverse engineer an app. An app can open a backdoor into the app and then re-sign it. Financial apps and popular apps are targeted more often via this type of attack.
Attackers publish malicious version of the app on 3rd party markets by inserting malicious functionality into the original app. Employ anti-tamper techniques and tamper-detection mechanism can hinder and frustrate attackers. Some of the techniques are:
Using checksums (attempts to tamper with the application without the correct checksum can stop malicious execution)
File validation methods
Whenever tampering is detected the app can be coded to silently wipe user data and other important information.
Although no application is 100% breach proof, but implementing these (and many other!) coding techniques can provide layers of security. Attackers will have to circumvent these layers if they want to steal sensitive data from your app, which will take considerable time and skill on their part.
The alarms these practices help raise in case of an attack, can give you ample time to ready a counter-attack.
However, an app’s security doesn’t just depend on the code; it depends on your entire Software Development Cycle (SDLC). Building security into your SDLC is the only way to create a secure app that’s easily defendable.