Ways to protect your mobile applications against hacking

Introduction

The increase in the use of mobile applications comes with an increase in hackers targeting them. A Symantec survey found that 1 in 36 devices had high-risk apps installed. Mobile applications are seen by hackers as a rich source of consumer data. In addition, valuable IP may be vulnerable through apps, either within the app itself, or via connected databases.

Although there are services or toolkits that purport to make app development cheap and/or simple, if you value your reputation or customer data, it is best to proceed with caution and prioritize app security.

Securing mobile apps is similar to securing desktop applications; it is, however, often more complex, as mobile apps frequently rely on external connectivity to back-end server systems, increasing the potential attack surface.

Here, we’ll look at some of the key areas to consider to protect your mobile apps against cyberattacks.

Securing the connection to your backend server

For apps that rely on data from back-end systems via API calls, it is critical that HTTPS is used for all connections. However, it is important to ensure that your SSL methods are secure and, for example, do not allow just any certificate to be used. (For example, do not use an insecure version of SSLSocketFactory.)

Also, because HTTP basic authentication is considered quite insecure now, REST APIs must be secured by JWT (e.g., OAuth2 access tokens). When user account data is accessed, these tokens must be created as part of a secure interactive login with the user. For mobile apps, the most appropriate grant for OAuth2 is the Authorization code grant with PKCE. Don’t store client secrets in your app code — these are easily discovered.

Code review

For any professional application (mobile, desktop or web) it should be considered essential to perform a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/blo-yxL_Gj4/