Best practices for developing a secure mobile app

Use strong encryption, establish robust authentication mechanisms, and verify incoming data… We review the best practices for developing a secure mobile app.

Infecting millions of mobile phones is “easy” thanks to apps

Infecting 11 million mobile devices. That’s what the criminals behind the Necro malware achieved a few months ago. How did they do it? By attacking the supply chain of software development kits (SDKs) used by two legitimate mobile apps used by millions of users around the world.

This case is not anecdotal. Malicious actors have mobile apps in their sights. And we’re not just talking about particularly sensitive applications such as those of a financial nature or those linked to personal and professional communications (instant messaging, emails, etc.). Why? Mobile applications play an increasingly important role in our daily lives.

In addition, our mobile phones are accumulating apps that, in many cases, we do not use regularly and to which we grant disproportionate permissions such as access to our contacts, photo library, or geolocation.

What can we do to reduce risks in app development?

Given the exponential growth of mobile apps and the poor practices of many users, what can developers do?

The OWASP Foundation, a leader in the development of cybersecurity methodologies, has compiled a list of best practices for developing secure mobile apps and preventing cyberattacks.

Based on the provisions of MASVS, the OWASP mobile application security verification standard, we will list the best practices for developing a secure mobile app that should be taken into account to protect these critical assets for companies and the users who use them.

Store sensitive data securely and prevent information leaks

The way a mobile application stores information is a matter of vital importance. Why? Apps handle particularly sensitive data such as personal information or API keys.

Among the best practices for developing a secure mobile app is the need for stored data to be properly protected, regardless of whether it is stored internally or in a public location and can be accessed by other apps installed on the mobile device.

It is also essential that developers implement mechanisms to prevent information leaks as a result of the confidential data handled by the app being exposed.

Use cryptography to encrypt sensitive data and manage cryptographic keys throughout their lifecycle

Another best practice for developing a secure mobile app is to use robust cryptographic mechanisms to protect the sensitive information used by the app.

The use of cryptography is critical when developing apps because the likelihood of a hostile actor gaining physical access to a mobile device is greater than that of accessing other types of devices.

Developers should also be aware that even the most powerful cryptography can be compromised if cryptographic keys are not managed comprehensively and effectively. Therefore, one of the best practices for developing a secure mobile app is comprehensive key management that covers everything from key generation to secure storage and protection.

Implement secure authentication and authorization protocols to prevent unauthorized access to the app

As noted above, mobile devices have a security feature that developers must always take into account: they can be lost or stolen relatively easily.

Therefore, the implementation of authentication and authorization protocols in mobile apps in general, and in those that connect to a remote service in particular, is essential to prevent unauthorized access to application features or sensitive user data.

What best practices in authentication and authorization should developers follow?

• Applications that connect to a remote endpoint must ensure the proper use of protocols.
• Apps that perform local user authentication must have well-implemented authentication mechanisms such as biometrics or PINs.
• It is recommended that an additional authentication mechanism be established for sensitive actions within the application. For example, develop multi-factor authentication.

Ensure that the application establishes secure connections using protocols such as TLS

The catalog of best practices for developing a secure mobile app should include the use of protocols and mechanisms that ensure the security of data in transit between the app and the remote endpoint.

Thus, it is recommended that developers implement the necessary protocols to encrypt data and authenticate the remote endpoint, such as the TLS protocol.

In addition, they should ensure that they do not use third-party libraries that could cause the application to establish insecure connections.

Check that all interactions between the application and the mobile platform are secure

To strengthen the security of mobile apps, it is essential to consider how they interact with the mobile platform. Why? These interactions expose sensitive data and functionality, which malicious actors can exploit to compromise the security of an application.

In addition, applications often handle particularly sensitive data such as passwords or financial information.

Therefore, it is the developers’ mission to ensure that the application securely uses:

• IPC mechanisms.
• WebViews.
• The user interface.

This prevents critical data leaks, the exposure of confidential app functions, and the exfiltration of information through mobile platform mechanisms such as screenshots.

Verify incoming data, use only software components without known vulnerabilities, and implement forced update mechanisms

When addressing best practices for developing a secure mobile app, we must bear in mind that developers need to follow secure code development practices to avoid vulnerabilities caused by the entry of data altered by malicious actors or the use of software components with known vulnerabilities, which may have a publicly exploited CVE.

What best practices does OWASP recommend to ensure application code quality, prevent injection attacks, and exploit known vulnerabilities?

1. Ensure that the application cannot support outdated versions of the mobile operating system. Why? Each new version of the operating system incorporates security protections.
2. Implement a mechanism to prevent users from using a mobile application until they update it to the latest version. This ensures that security patches released to fix known vulnerabilities are installed.
3. Use only software components that do not have known vulnerabilities.
4. Validate and clean all data arriving from various entry points before using it, thus preventing SQL injection or XSS attacks.

Add layers of security controls to make reverse engineering and theft of intellectual property and sensitive data more difficult

OWASP recommends that developers implement security measures such as code obfuscation or the use of anti-tampering mechanisms. To what end?

1. Increase the resistance of mobile apps to reverse engineering attacks.
2. Avoid the serious economic, legal, and reputational consequences of malicious actors gaining access to intellectual property and sensitive data.
3. Make it difficult for hostile actors to understand how the application works by performing static and dynamic analysis.
4. Prevent manipulation of the application while it is running and safeguard the integrity of its functionalities.

Minimize the application’s access to sensitive data, prevent user identification, and allow users to control their data

Data protection is one of the major issues of the digital age. For this reason, the General Data Protection Regulation (GDPR) is extremely protective of the private information of citizens and companies. This obviously affects the development of mobile applications that use critical data: personal information, credit card or bank account details, passwords, contact details, etc.

Therefore, best practices for developing a secure mobile app must include practices focused on preventing the exfiltration of user information:

• Minimize the app’s access to sensitive information so that it only requests access to the data and resources it needs to function optimally.
• Use techniques such as anonymizing data to prevent users from being identified.
• Provide users with all the information about how the app uses their data.
• Implement mechanisms so that users can manage, delete, and modify their data, as well as change their privacy settings.

How can you verify that best practices for developing a secure mobile app have been followed and that the app is not vulnerable?

While following best practices for developing a secure mobile app is critical to building secure applications from the ground up, companies must conduct regular mobile application audits.

What does this type of analysis involve? Cybersecurity experts perform a wide range of tests to verify the security and privacy of applications and detect any vulnerabilities that could affect them.

Thus, through a mobile application audit, it is possible to detect:

• Weaknesses in the storage of sensitive data.
• Vulnerabilities in authentication mechanisms.
• Deficiencies related to the use of WebViews and IPC mechanisms in Android systems.
• Bad practices in the application’s network connections.
• Evasion of application restrictions.
• Poor use of encryption algorithms.

In addition, the professionals in charge of a mobile application audit also prepare a report with recommendations to mitigate the vulnerabilities found during testing.

Conclusions: Following best practices is essential

In short, given the importance of mobile apps in our daily lives and the sensitivity of the data they handle, companies that already have apps or want to launch apps on the market must follow best practices to develop a secure mobile app. At stake is the security of users, but also the finances and reputation of the companies themselves.