Advertisment

Securing Mobile Apps

author-image
Rahul
New Update

The world is going through a mobile revolution which is impacting everyone's life in one way or the other. We have recently witnessed a major disruption in corporate computing, driven by the adoption of new mobile operating systems and bring-your-own-device (BYOD) environments. These days IT organizations typically have responsibility for mobile device management and the security related to those devices. For most organizations, a scarcity of the resources for mobile app development and the lack of mobile and general security expertise can prevent an adequate response to this challenge. Certifying that mobile apps meet certain baseline security measures is both time-consuming and expensive. The real concern are third-party mobile apps, whose source codes are impossible to acquire and the level of security is difficult to distinguish. Mobile security solutions must help break the bottle neck of mobile app deployment and help IT organization to meet the mobile app challenges that their organization's leaders place on them.

Advertisment

As the fragmentation of mobile operating systems continues, mobile apps are becoming new security end points. The next challenge in mobile security is making apps self-defending by adding the type of security that was formerly reserved for personal computers. So what are the different types of threats for mobile apps? What is actually happening here? And, why is it necessary to secure mobile apps? Let's try to find out.

Mobile apps are hacked for:

1. Stealing money and information

2. Embarrassing people

3. Getting famous

4. Breaking out of restrictive application licensing and functionality

5. Breaking out of restrictive platforms

If you think why this is happening, the answer is very predictable.

1. Development of mobile apps is focused on features and not security

2. Developers are unaware of the underlying platform

3. Users don't even have security on their radar

4. Users are easily social engineered

What do attackers want?

1. Credentials: They want to know credentials to your device and your external services (email, banking, etc)

2. Personal Data: Everything related with you is within their radar, which generally consists of name, Address book data & Location data.

3. Cardholder Data: Your credit and debit card details are of top priority that includes Card Numbers, Expiry date & CVV.

4. Access to your device: Lastly, the attackers want to sniff your connections, use your device (botnets, spamming) and steal trade secrets or other sensitive data.

So, now moving on to solutions, this is how a mobile app can be secured:

1. Encryption should be used extensively.

2. Developers should go deeper than sample code at the vendor's website

3. He should understand what the OS is doing when you ask it to do something and how does the OS link libraries to your app?

4. Don't rely on built-in key chains or key stores

5. Avoid storing sensitive data on the device

6. Use anti-debug and anti-reversing measures

7. Clear memory after use

8. Test a jailbroken or rooted device - see what the bad guys will see.

(Based on SAP Thought Leadership Paper on

Mobile Security)

Advertisment