I’ve been working with Liferay for quite some time now, but I must confess that I still haven’t really made the...
Creating mobile apps that (you think) are secureYakup Kalin
Mobile apps are without a doubt the dominant form of delivering value to users. Through mobile enterprise apps, companies improve productivity and align with the new agile and mobile lifestyle of their employees. It’s not a myth that those apps can improve business processes and make companies more efficient. The new way of paperless working is a well-known example of this. It introduces direct impact and result within the business, sometimes on a very short term. Companies embracing mobile apps within this era of Digital Transformation simply manage to increase customer and business value.
One of the most obvious, yet most overseen things about mobile enterprise apps is the fact that you’re dealing with mobile devices.
Mobile enterprise apps sound like music to the ears, but there is a catch. Just like with the traditional way of working (e.g. with paper), there are still some very important side notes to keep in mind. One of the most obvious, yet most overseen things is the fact that you’re dealing with mobile devices. These devices can be easily lost, stolen or hacked.
Nowadays, you can manage company devices by using an EMM solution that gives insights and control over those managed devices. However, that’s only possible for devices that your company owns. The company will not have any insights on devices that they don’t own and manage, e.g. in some cases of BYOD (bring your own device)! Is that old Android device of your employee Suzan running on Android 4.4 secure enough? How about the iPhone of your other employee Jacob that appears to be jailbroken? And if you create apps for the public (App Stores), you definitely won’t have any control nor insights about the devices. This so called mobile “Wild West” makes securing enterprise mobile apps a complex task.
Another level of security
Luckily, when talking about security within mobile, there is also another level of security besides device security. With application security you’re going to secure the mobile app itself, which you do have control over. This way, you can eliminate unauthorized access to sensitive user or company data within your app. This type of security becomes even more crucial, when you know that GDPR is lurking. The GDPR enforces companies and developers to think more about the (user)data they’re processing.
Of course, you’ll need skilled developers keeping the security aspect in mind by e.g. integrating root/jailbreak detection, logging prudently and encrypting storage. Sometimes, though, those things just aren’t enough.
A majority of apps gets hacked
97% of the top paid Android apps and 87% of the top paid iOS apps have been hacked.
An analysis by Arxan of the top 100 paid and the top 20 most popular free apps revealed that a majority of those apps have been hacked:
- 97% of the top paid Android apps have been hacked
- 87% of the top paid iOS apps have been hacked
- 80% of the most popular free Android apps have been hacked
- 75% of the most popular free iOS apps have been hacked
These numbers are not getting better, especially knowing that we’re living in a world where flashlight apps are still trying to retrieve sensitive banking account data. The stories are well known within the mobile industry: some mobile apps look simple at first sight, but carry out malicious actions in the background without you noticing it. And they’re getting more sophisticated as we speak.
The most malicious actions by mobile apps
Let me briefly list my personal top 5 of scary, malicious actions by mobile apps to give some context:
- Third-party custom keyboard: a cool custom keyboard you installed that registers and transfers your keystrokes to a server (PIN, password, bank card details, …) without you knowing it.
- Screen recording: an invisible app on top of your other apps that records every action you do.
- Too much permissions: an app that accesses device management and restricted security APIs without your knowledge.
- Repackaging: hackers that add extra code within your app and repackage and distribute it in the name of your company.
- Spying: apps that read and share text messages, (company) emails and GPS location.
Getting more advanced
Some people think that creating (simple) mobile apps is like a walk in the park, but you shouldn’t forget about the lurking wolves when it becomes dark in that park.
As stated earlier, malicious hackers find more and more sophisticated ways to perform malicious actions. It’s not a matter of how, but rather of when. So if you’re dealing with sensitive user or company data, this should become a crucial element of your mobile application development cycle. Just like the malicious hackers getting more advanced, your developers need to get more advanced. It all starts with education. Developers need to be aware of the potential risks and complex malicious actions. Next, a sophisticated integration of those security aspects should follow. You can do this on your own or embrace an integrator that provides you with qualified security SDK’s to help you secure your apps.
At ACA Mobile, we integrate the VASCO Security SDK’s along with Runtime Application Self-Protection of VASCO, called RASP, within our (sensitive) apps to ensure application level security. This RASP helps us:
- Mask/blur our screens when a screenshot is taken of our app.
- Provide insights about the device (e.g. jailbroken or not, custom keyboard usage, …) within our app.
- Eliminate the possibility of repackaging.
We see that developing (simple) mobile apps can sometimes be easy, knowing that there are a lot of drag-and-drop platforms to create them. It’s very important to know, however, that you should also take the security aspect of mobile apps into account. Some people think that creating (simple) mobile apps is like a walk in the park, but you shouldn’t forget about the lurking wolves when it becomes dark in that park.
If you have a story or questions regarding this article, don’t hesitate to share it via firstname.lastname@example.org.