Commentary: Mobile app security in the midst of a pandemic
Facing the COVID-19 pandemic and subsequent lockdown, major retailers have had to depend more heavily on mobile apps to stay connected to customers and keep business moving.
For example, many coffee shops, restaurants and grocery stores are asking customers to make orders for pickup through their or food delivery mobile apps, and those stores whose physical locations are completely shuttered depend entirely on mobile apps to keep generating revenue.
In this rush to add new functionality and update mobile apps, improving the security posture of an app can no longer be overlooked. Cybercriminals are taking advantage of the pandemic and people’s increased reliance on mobile apps. A recent COVID-19 tracking app, for example, turned out to be ransomware.
Where should organizations start to improve mobile app security? Here are the broad areas that require the most attention:
Secure Data Storage
In many apps, sensitive data and personally identifiable information (PII) such as credit card numbers, passwords and other valuable information are stored in the clear. This data can be stored in different locations, including the app’s sandbox, the in-app preferences, strings and resources.
This means that anyone who can gain unauthorized access to the app can read the data stored by it. Thieves are most interested in the data a phone stores, because it is much more valuable for the purpose of credential theft and fraud than is the phone itself.
To protect the data on a device, it must be encrypted. That way, even if a device is stolen or compromised, the data will be useless gibberish without the encryption key necessary to decode it. The cryptography employed should be at least as strong as the Advanced Encryption Standard using encryption keys that are 256 bits in length, known as AES-256 encryption.
For a retailer’s mobile app to be useful, it has to communicate via the Internet with other services, and those communications must be protected. Otherwise, mobile apps can fall prey to man-in-the-middle (MitM) attacks, in which a cybercriminal intercepts communications between a mobile user and the server they’re trying to reach. If successful, attackers can steal sensitive data and even change information to do things such as inject malware into the app.
To protect against MitM attacks, apps must enforce secure communications using transport layer security (TLS) and properly enforce security certificates, which verify the identity of the server to which the mobile app is connecting.
Protect against tampering and reverse engineering
App makers also have to be concerned with the underlying code and intellectual property of their apps. Most are not protected against attempts to tamper, debug and reverse engineer apps – a set of capabilities often referred to as app shielding.
Levels of protection vary widely, with some hackers being able to turn off these protections. This allows bad actors to create malicious apps that look and feel like the real app. They can then distribute these apps to unsuspecting users and wreak havoc.
Another important protection layer is code obfuscation, the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. When combined with app shielding, these two measures provide powerful protection for mobile apps.
These measures can take a great deal of time, expense and specialized skills to implement, which poses serious problems for development teams, who need to release apps quickly, especially during a crisis such as this one. As a result, many organizations choose to release apps that are vulnerable.
Thankfully, businesses don’t have solely rely on manual implementation methods, as automated, AI-powered platforms now exist that can implement all of these security measures in minutes without any coding at all.
As businesses depend more and more on their mobile apps, it’s critical to ensure the security of both the app and its users. By implementing secure data storage, secure communications and anti-tampering measures, businesses protect both its customers and company from malicious attacks.
Tom Tovar is the CEO and co-creator of Appdome.