Mobile application protection: Understanding and mitigating threats

By Jonathan Hassell

As mobile app usage and development continue to rise, many enterprises feel pressure to bring their products to market as quickly as possible. Unfortunately, this quick turnaround time sometimes prevents brands from ensuring app security gets the attention it deserves. This can become a fatal flaw, especially since apps only become more and more of a target for cybercriminals as their popularity increases. As such, it’s vital for brands to have an understanding of common attack vectors so they can ensure mobile application protection.

The following are three common ways in which mobile apps can be vulnerable to attack:

1. Unencrypted data storage

It’s crucial for enterprises to protect app access information, including banking usernames and passwords, account numbers and confirmation codes of existing transactions, since these could all be used in nefarious ways. After all, attacks on sensitive areas of a mobile device have the power to break down any low-integrity defenses.

2. Parameter manipulation

This particular attack is actually pretty simple. Parameter manipulation just changes a parameter used in representational state transfer-based web services to access accounts or features that should ideally be inaccessible. For example, if your app uses a URL such as “…/accountnumber/23904,” an attack of this nature would attempt to simply change the numeric parameter, which would then provide access to another account.

3. Insecure data transmission

If your app does not communicate with your organization’s back-end systems in a secure, encrypted way, any sensitive data that lives on the app may be intercepted, read or even modified through a man-in-the-middle attack before it can make its way over to your back-end servers. This could also be the point at which another, more-sophisticated attack is launched by injecting malformed instructions or bad transactions into your back-end systems. Since these systems would generally trust information coming from a supposedly “known good” endpoint, such as your sanctioned mobile app, this type of attack can have severe consequences.

Mitigating these weaknesses and attacks on mobile apps

There are several flexible, agile ways in which enterprises can mitigate these types of threats as efficiently as possible. For instance, any decent app development platform should offer capacities to encrypt sensitive areas on your mobile app. After all, complete mobile application protection should involve encrypting sensitive property list, XML and SQL files. These type of files may have important information embedded in them, such as usernames, addresses, photos, videos and GPS coordinates. Encryption ensures data on a device remains safe, even if your app software has a vulnerability that can be exploited.

Another basic mobile application protection feature your development platform should take advantage of is input validation. This feature serves to prevent cross-site scripting attacks, XML bombs and other SQL and similar-style attacks that are designed to pit your app endpoint against your back-end systems. It’s crucial that you validate inputs, but you must also make sure your app invalidates sessions (both on the app end and on the server end) after a user logs out or is inactive for a certain period.

Additionally, you should ensure that your app does not give itself unnecessary privileges on the user’s device. For instance, you should not allow the program to have access to the device’s GPS, camera or microphone unless your app has valuable functionality tied to being able to use those features. Likewise, you should make sure your app can’t access areas of the operating system that store contacts, calendar appointments and other personal details — or, perhaps you can ensure it can only access this information in a read-only way. By doing so, you can protect against app attacks that modify contact details and trick users into believing nefarious actors are actually trusted parties.

Written By

Jonathan Hassell

President, 82 Ventures

Jonathan Hassell runs 82 Ventures, a technical writing and consulting firm based in Charlotte, NC. He centers his focus around network administrator, security, the cloud, and mobile technologies.

Other Articles by Jonathan Hassell
See All Posts