Best Practices to Develop a Self Defending App – Quokka Labs

Mobile App Security Blog
Mobile App Security

Best Practices to Develop a Self Defending App – Quokka Labs

With multi-frontal technology advancements happening in industries, dealing with mobility solutions, security threats related to user data & application networks are becoming increasingly frequent. Such deceptive attacks are always a pain for a growing enterprise, as a security issue can always tarnish the brand’s image.

Mobile app security thus becomes quintessential; it is a process of testing and examining an application to ensure that mobile apps and APIs are secure from potential attacks. More often than not, organizers aren’t actually capable of adapting their security protocol to mitigate emerging threats.

Unfortunately, the tools used to develop the top tier mobile apps, by their very nature, are the same tools used to exploit their vulnerabilities!

By default, your app has access to the files which are present in the app’s own sandbox directories, along with that, the user rights never allow external editing of in-system files(stored on the user’s device).

Nevertheless, one or more errors (called bugs in DevOps’ world) can always penetrate while designing complex mobile applications, causing gaps in protection mechanisms.

So we have put here some of the best practices undertaken by leading mobility deploying companies around the world:

Multi-Factor Authentication (MFA)

Usually, user-chosen usernames and passwords are more prone to get hacked and hence: stolen passwords and accounts.

MFA implementation actually seeks different secure ways of signing in so as to deflect any uncommon sign-in attempts.

Here we enlist some popular processes:

  • Time-based One-Time Password (TOTP)
  • Short Message Service (SMS)
  • Electronic Mail (Email)
  • Push Notifications

Most of them work in 2 stages: Enrollment & Login; Let’s delve deeper –

Enrollment

Enrollment process enables the user to set up the multifactor authentication:

  • User logs into a website/application with a username and password.
  • In TOTP, after checking the credentials, a 2-factor authentication is enabled for him/her. For apps using SMS services, the user is asked for the mobile number where the code is to be sent.
  • Then the server generates a code (mostly a combination of characters, numbers, etc.) and which can be stored by the app that implements Google Authenticator or Auth0 Guardian.
  • The 2-factor authentication is hence completed. Mobile apps using SMS/email channels for enrolling requires users to manually enter the code or simply click on the authentication link.

Login

After enrollment, the user is logged in as follows:

  • The user again logs into a website or mobile app with a registered username and password.
  • A one-time password gets generated on the server which is sent to the user’s mobile and is entered again.
  • After verifying the code, the user gets authenticated finally.

By giving the user multiple methods for authentications (TOTP, Email, Push Notification, SMS Text) can induce better customer experience in your mobile app – resulting in better User Retention.

Optimizing Data Caching

Caching data locally is one of the most popular ways that mobile apps use to improve it’s customer experience and efficiency.

But it also comes with a significant drawback: locally caching data makes it much more prone to hackers to breach and decrypt the cache data to steal user’s account information.

App data can include not only cached data as well as other chunks of information saved earlier. These can consist of a user’s login information, preference settings within the app, etc.

The data being extremely sensitive, it’s a far more wise option to have a password to access the application which reduces the security vulnerabilities associated with cached data. Caching HTTP data is a foolish exercise.

Developers should also refrain from caching web-data, especially HTTPS traffic. The body or chiefly the header of the page may store user login credentials, hence crucial to attack.

Also, many android and IOS systems are now capable of remote data wiping techniques: the user doesn’t have to manually delete the cache every time they log into your app.

The best way is to implement Enterprise Device Swipe.

Setting a device swipe as your enterprise security solution, you can selectively delete your business-related content without touching the user’s personal information.

Restricting Client Side Injection

Client-side injection results in the execution of malicious code on the client-side which is via the mobile app.

Generally, this malicious code is provided in the form of data that the user unintentionally inputs to your mobile app.

During processing, this special data forces a context switch and the framework reinterprets the data as executable code.

While the “best-case” scenario will have the malicious code with the same scope and access permission, in the “worst-case” scenario, the code executes with privileged permissions and much greater scope leading to much greater damage potential including data theft, access to data storages (most mobile applications use SQLite engine for storing app data), account hacking and more.

Client Side Vulnerabilities in Mobile Apps

To reduce the chances of a client-side injection, as a basic guideline one should look into:

  • Data stored on the device
  • User sessions
  • Mobile application interfaces

 

Now let’s learn about the Android and ioS specific practices for preventing client-side injections.

Android:

  • SQL Injection: monitor the dynamic queries: harmful data may be supplied using “%@” instead of a proper parameterized query “?”.
  • Local File Inclusion: File System Access shouldn’t be enabled for any WebViews.
  • Validate Intent: Implement the Intent Filter for all activities to validate data and actions.
  • JavaScript Injection: Verify that JavaScript and Plugin support is disabled for any WebViews.

iOS:

  • XML Injection: Always consider libXML2 over NSXMLParser is a right-hand rule.
  • Refrain from Old Objective-C: Objective C is a superset of C hence avoid old vulnerable Objective C functions as they are easily prone to classic C attacks.
  • UIWebViews: Ensure that UIWebViews (Javascript injection) do not execute without proper input validation
  • Local File Inclusion: Enable strict input validation for all NSFileManager calls.

Finally, Test, Test, and Test!

Having embraced the 3 most important mobile app security practices, we shouldn’t forget that however strong your application code and structure is, attackers are always engaged in finding one way or the other to breach.

Mobile app testing reduces risks, tests potential vulnerabilities, and examines software to ensure that an application or a feature is safe and meets adequate security compliance.

Most often, cybersecurity experts use a variety of tests and strategies to monitor vulnerabilities to assess the security of a mobile app.

The experts often simulate repeated near-realistic cyberattacks to understand and identify the standing potential risks.

Not only is the mobile app examined but also the entire back-end system, supporting framework, and the APIs get engineered and modified from time to time.

With the growth of the digital ecosystem, Mobile App Security has become a bare necessity.

If you are concerned about your mobile app security & want even a security audit of your application, you can consult our top developers at Quokka Labs who are committed to developing Hack Free Mobile Apps by following the best security measures.

No application is safe enough to combat Malwares & Security Breaches – a simple mistake could cost your company a huge amount of money, & on top of that – you will lose a lifetime of trust.