By Nish Bhalla, [email protected]
It’s hard to think of a company, retail or otherwise, that isn’t developing a mobile app these days — but the vast majority of apps are riddled with security flaws that could jeopardize the end-user and expose the company to high costs and embarrassment.
In a recent study with HP, we found that 77% of mobile apps are guilty of information leakage, 26% fail to encrypt properly and 33% are vulnerable to a common hack attack.
The problem generally stems from the fact that many developers aren’t properly trained in security — and even those that are often put design issues ahead of security considerations. It’s common for developers to build a mobile app first, then try to “sprinkle” in security at the end. This leaves the app severely vulnerable to information leakage, unauthorized users and hack attacks. It’s more difficult — and a lot more expensive — to fix a security problem after the fact. Once an app is live, the typical remediation cost ranges from thousands to tens of thousands of dollars per flaw.
It’s important for retail executives to have a solid understanding of common mobile app security flaws and be able to ask the right questions from their developers. Security decisions can’t be left to the developers alone; they have to come from the top.
With that in mind, here are the six most common mobile app security mistakes that retail executives need to watch out for:
1. Storing Critical Information on the Phone: This is probably the most common flaw we see in mobile apps. Developers often let the app store sensitive information on the actual phone — like passwords, customer information, even encryption keys! If the phone is ever stolen or compromised, all of this information can fall into the wrong hands. TIP: The best policy is to avoid storing any information on the phone — instead, everything should be retrieved from the server the moment that the user actually logs into the app. Once they log out, all of the information should be erased.
2. Unauthorized Access: An app is supposed to have boundaries, but many don’t. When an app has a problem with “unauthorized access,” it means that a user is able to see other users’ accounts, or that a user is able to get further into the corporate system than they should be — like accessing administrative controls. Developers often make the mistake of not fully understanding what kind of information the app is sending out and how easy it is for others to use this data to compromise the app. TIP: Every time a person makes a page request in your app, the server should verify that it’s a correct request and stop them from making unauthorized requests. It should also trigger an internal alert if there are a lot of unauthorized requests.
3. Weak Encryption: Developers often fail to use proper encryption controls that will protect information as it travels from the app to the corporate server, and vice versa. This failure puts the user’s information at risk of eavesdropping - a type of hack called “man-in-the-middle.” Even worse, many app developers also forget to turn on a pop-up alert that will warn an app user if they’re at risk of eavesdropping. TIP: Make sure your app uses Secure Sockets Layer (SSL) encryption between the phone and the server. Then make sure your developer tests the app to see if it will stop working if an unauthorized third-party (known as a “proxy”) is intercepting the information.
4. Vulnerable to Hack Attacks: Without the proper security, apps can be highly susceptible to hacking. Two of the most popular types of hacks are called cross-site scripting (or XSS) and SQL injection (or SQLi). While these attacks are highly technical, the one thing you need to know is that both will essentially steal information — XSS steals it from the user (passwords, logins, cookies, etc.) and SQLi steals information from the corporate databases (it can also delete that information). TIP: At a bare minimum, you need to make sure the developer team is having the app tested against both types of hacks. There are a number of automated services out there that will do this for you. Also ask your developer if she’s testing the app for all of the vulnerabilities in the OWASP Top 10.
5. Not Protecting the Server: Mobile apps have to communicate with a server in order to work properly — but the problem is this can expose the server to data breaches. Although the typical mobile app only needs the server for a few functions, developers often mistakenly allow the server to share a lot of unnecessary data and processes with the world. This puts the server at risk. TIP: Your developer should be able to tell you exactly what is exposed by the server. All of these items need to be properly secured to prevent data breaches - not just those that are used by the mobile app.
6. Adding Advanced Features: Developers are adding a lot of advanced functionalities into today’s mobile apps — like near field communication (NFC) and QR code readers. However, in many cases developers fail to realize that these special features require a higher level of security. Without the proper security precautions, they can expose the app to a whole new set of potential attacks. TIP: You need to have a qualified security firm (called a penetration-testing firm) test the app’s advanced features against different types of hack attacks. This is the only way to ensure these features won’t undermine your security.
Nish Bhalla is the founder/CEO of Security Compass, an information security company that specializes in app security and recently developed SD Elements, a platform for secure app development. His company consults for Fortune 500s, retailers and banks, and contributed to HP’s 2012 Cyber Risk Report on mobile app threats. He can be reached at [email protected].
By Nish Bhalla, [email protected]