Despite the security issues blamed on wireless connections and hardware, mobile apps themselves have vulnerabilities that put users’ data and devices at risk. With smart hosting, you can minimize a website’s vulnerabilities, but apps are more complex. Let’s look at the common security concerns with mobile apps. We’ll also address ways to minimize these security concerns.
Bad Data Storage Practices
One bad data storage practice is storing data in clear text or XML files – especially when using these file formats to store data like passwords and personally identifiable information. When these files are used, all malware needs to steal this data is to query these files on an unlocked phone running the app. Several million Starbucks app users discovered the danger of this after it was discovered to be storing user credentials and payment information in plain text format in 2014.
A better choice is using databases like SQLite to store data locally on a device. Developers should encrypt this type of data at the device level, as well. Your app should not allow backup of files with financial and password data so that the information isn’t stored in another location that could be hacked.
Lack of Encryption
Applications that don’t encrypt data while sending it to the server create problems for the user. When data such as someone’s calendar or contacts list is transferred as clear text over a network, as LinkedIn’s mobile application did, the data is open to anyone looking for it. Use common encryption frameworks to protect users’ data. Yet many app developers don’t verify that their SSL implementation is working correctly. Sometimes the SSL certificates aren’t verified or the Java Trust Manager is broken. Failing to have proper transport layer protection is an invitation to having your app exploited.
One of the best ways users can protect their devices is to require users never install devices that request access to data they don’t need, or anything beyond minimal access levels. There should be concern about letting apps access information that you copy and paste, read or organize bookmarks, read your browsing history, or use your current location. A moderate risk is an app that requests information to see all data on sites you visit since this could allow it to save your Facebook or bank website password. A red flag is an app that asks to access all data that you enter or alters the operating system files. Developers should design their apps to never request information it doesn’t really need.
Sometimes the security flaw is due to poorly designed app permissions. Pokémon Go for the iOS was found to be using the full access token from Google’s authentication system, but the token didn’t give it full account access. However, it was possible to exploit it via an uberauth token, which would have allowed attackers to take over the user’s Google account.
Designing your app with security in mind is essential. Don’t require the app to access data it doesn’t need, and encrypt and protect data whether it is stored on the device or sent to a cloud server. Use proper data security protocols for the transport layer and ensure the security of the servers where the user data is stored.