Is Your Smartphone App at Risk of Infecting Users?

The time to bring in security during the application development process should not be right before launch

We live in a world of threats. They’re all around us in the real world, in the air and in cyberspace.

What can we do when measures we put in place to protect business and individual users fail?

That’s exactly what happened in April, when an Israeli cybersecurity company, Check Point Software Technologies Ltd., found a vulnerability in a mobile security app that left millions of customers exposed to hacks. The flaw was discovered in an anti-malware app called Guard Provider, which was pre-installed on phones sold by Chinese telecommunications company Xiaomi.

According to a spokesperson from Check Point, the vulnerability was reported to Xiaomi and has since been fixed. Fortunately, this was done before it directly affected customers, but think of the implications if it happens again and leads to another record-breaking data breach.

How Customers Were Endangered

The app was designed in such a way that network traffic traveling to and from the phone was unsecured, leaving it open to hacking. This could have been accomplished when someone using the same Wi-Fi network intercepted a transmission and hijacked it through a Man-in-the-Middle attack. This would disrupt communications between parties and alter or reroute them.

CheckPoint researcher Slava Makkaveev described other possible threats in the company blog:

The hacker could “… disable malware protections and inject any rogue code he chooses,” enabling the hacker to “… steal data, implant ransomware or tracking or install any other kind of malware,” he wrote.

Include Security Specialists From the Outset of Every Project

The time to bring in security isn’t after you launch and a problem comes to your attention. There should be at least one app security specialist brought into your team before you begin working on any project, for pen testing and other analysis after production begins and again when changes or revisions are needed.

Test and Test Again

One report found that 60% of developers have little to no confidence in the security of their apps. Yet, not many go out of their way to fix that problem.

The main reason? Few adequately test their apps before releasing them to the market.

Quality Assurance (QA) should be as much of a priority at the outset of software development as security. Create a solid set of QA guidelines, and make sure that they’re fully adhered to at every stage of development.

Don’t Make Assumptions About Third-Party Dependencies

The open source community has made app development faster and more efficient. However, putting all of your trust in third-party code, regardless of the source, could lead to security issues later. The recent case with Xiaomi’s Guard Provider app is a case in point. Open Source libraries are notorious sources of modules that carry malicious code.

Analyze source code from any developer, no matter where you obtained it. You should also research the code or look for reviews from other developers who’ve used it to determine its history.

Use Verified APIs

Outward-facing gateways are a major point of vulnerability. Install API gateways on all of your apps and make sure that you verify support and compatibility of your API with your target platforms.

Know Your Enemy as Yourself

To thwart attacks, you have to think like a hacker. If you were going to penetrate an app or platform, how would you do it and where would you start probing for flaws and weaknesses? You should also dig deeper into less obvious points of entry when coding your designs. The more you’re able to get into the mind of a cybercriminal, the more secure your apps will be when you go live.

Furthermore, note that many internet “good guys” are far from it. Tech giants such as Google, which once parroted the motto “Don’t be evil,” has recently been accused of violating GDPR regulations related to the handling of personal customer data by at least seven different countries, and France has fined the search giant $57 million. Major search engines know everything about you. If you want them to know less, switch to an alternative, privacy-focused search engine.

Eliminate as Many Attack Vectors as Possible

You’ve heard of zero tolerance in schools and organizations? The watchword in app development is “zero trust.” That means you assume everyone is a potential threat from the outset and design accordingly. Reduce the number of entry points and connections and grant permissions only to those functions that absolutely need access. Does your game or fitness app really need to get into a user’s phone, camera or contact list?

Be Mindful About Protecting Stored Databases

How much user data does your app need to perform and where will it be stored? Users want to know this information and you should be able to provide answers. Most apps use only in-app or server-side storage. Limit the amount of personal data required by the app and make sure that decisions are made for the safest storage options.

Manage Session Handling

Session tokens not only make logins safer and more convenient for users, they can also be revoked the moment unusual or malicious activity is suspected. Some of the most reliable tokens are JSON Web Tokens, OpenID Connect and OAuth2.

Implement Tamper-Proof Components

Tampering or creating look-alike apps is a common problem in Google Play Store. You can avoid issues by using security best practices to make your apps tamper-proof and more secure. Since it’s so easy to decompile Android-based apps, you should verify the installer and signing signature and create environment checks using a tool such as Android Debug Bridge.

Control Access to Your Devices

Protect your research by creating strong passwords using two-factor authentication to provide an extra layer of protection. Avoid unsecured connections and don’t leave your phone or laptop where someone else can access it.

Secure Your Connections

While not the security panacea some might claim, no one should go online without a virtual private network or VPN. In fact, more than 25% of global internet users now rely on this cybersecurity technology to improve their chances of staying safe and anonymous.

A VPN helps developers in two ways. First, it routes your data through a distant server, which makes it difficult to trace where you are geographically. Presto, instant anonymity. Second, your connection is encrypted so that any hacker who does manage to find your research will not be able to decipher the information. This will protect your research, prototypes and related files from spies and intellectual property theft.

Choosing a VPN that functions as advertised is not as easy as it should be. The problem is that some log your activity and have been known to share it with advertisers or the government—a practice that makes it sort of pointless to install the service in the first place.

Your best bet to research this type of service is to check out industry forums for complaints, study third-party VPN reviews and, finally, visit the actual company website. Performed in this order, you’ll have a pretty good shot at determining whether security protections in the form of firewalls and VPNs are truly secure.

Final Thoughts

Solid cybersecurity is about prevention more than anything. Threats can come from anywhere, and they’ll hit when you least expect it. Tech professionals should know that better than anyone. All it takes diligence on the part of individuals and the tech community to find solutions. Following the preceding best practices to protect your customers and data will help keep your development team or app from becoming embroiled in another scandalous security breach.

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become ... Read More
Security Boulevard