Best Practices for Mobile App Security

In today’s app economy, mobile apps contribute heavily to economic activity. In 2020 alone, Android’s Play Store and Apple’s App Store generated a combined $50.1 billion of revenue—and that was just in the United States. Developers get tasked with coding these apps and providing the features demanded by consumers. 

In a competitive landscape, development teams focus their priorities on user experience, solving problems that improve the daily lives of users, and innovating apps with new features. Often, security plays the role of an afterthought to these primary concerns. 

Recognizing that developers might neglect security in favor of other priorities, malicious threat actors regularly target security weaknesses in an attempt to exfiltrate data, take over mobile devices, or even infiltrate networks through backend servers. Mobile app security needs to become a central priority in the modern cyber threat landscape. This article covers some fundamental best practices for developers to strengthen mobile app security and mitigate against common cyber attacks.

Mobile App Security Best Practices

You could write a book on how to best secure mobile applications. From user authentication to APIs, to server vulnerabilities, there is a lot to cover. However, nailing down some fundamental best practices goes a long way toward dramatically increasing the security of mobile apps for developers. 

Implement Stronger User Authentication

Relying on passwords alone to authenticate users is an outdated approach that makes apps and user accounts vulnerable to breaches. Many developers restrict their efforts at strengthening authentication to make it mandatory for users to create strong passwords. 

There are now more than 15 billion stolen credentials available to threat actors on the dark web from previous data breaches. Therefore, reliance on just passwords to authenticate is risky given that all it takes is one user reusing the same credentials in your app from a previous breach. 

Stronger access control in mobile apps needs to include other categories of evidence for verifying user identities. Based on the sensitivity of application data and reputational risk of the brand offering the app, seek out an authentication server solution that offers support for multiple ways of implementing two-factor authentication and password protection. For the password itself, it is good to implement end-to-end encryption in addition to SSL for protection in transit as well as at rest. For two-factor authentication, instead of asking for a one-time password which may be a push factor for user experience, consider implementing mobile tokens which allow push-based logins combined with phone-based biometrics. While looking for an authentication server, it is important to choose one that does not lock you into a specific vendor or technology for the authentication mechanism.

Secure the Software Supply Chain

Mobile apps depend on a combination of proprietary code and third-party components. These third-party components include frameworks and libraries that save time for developers with ready-made app functionality and behaviors, such as handling network requests or loading images. 

The third-party components used to build mobile apps form a software supply chain that requires securing. Developers need to exercise due diligence in the libraries and frameworks they select for their mobile apps. Look for reputable open-source projects that are well-maintained.

Additionally, make sure to regularly update any libraries or frameworks that your mobile apps depend on. Serious vulnerabilities can emerge even in reputable third-party components as was evidenced during the Apache Log4j incident in 2022.

Encrypt Data

As users interact with mobile apps, they regularly create data that gets stored locally on their devices or traverses the Internet to backend systems. Furthermore, important development data, which includes APIs, certificates, and authentication tokens, is also stored on mobile devices. Encryption is a pillar of modern app security because it protects this data by converting it into an unreadable format that threat actors can’t use in any meaningful way. 

Strong encryption standards, such as AES-256, are almost impossible to break with brute force. It’s essential to protect both states of data in mobile apps:

  • Data at rest which is stored in the sandboxes used on mobile devices to isolate different apps from each other 
  • Data in transit over the network between the user’s device and backend servers

For data at rest, get a solution in place that encrypts files, binaries, strings, secrets, and runtime information generated in mobile apps. For data in transit, use TLS/SSL to encrypt data along with public key infrastructure for trust. 

Handle Sessions Securely

In a world of shortened attention spans, users often jump between multiple mobile apps within a short timeframe. To avoid frustrating users, developers allow for lengthy sessions before requiring users to log back in again. These sessions are maintained through tokens, which pose risks when their timeout period is too long or when they’re unintentionally shared. 

In the most sensitive apps, such as online banking, improper session management can wreak havoc on security. To better handle sessions, set session timeouts to one hour for low-security applications and 15 minutes for high-risk apps. Additionally, use standard Web access management aka Web SSO products that support industry-standard methods to create tokens and make sure sessions are effectively destroyed during authentication changes. 

Exercise the Principle of Least Privilege

The principle of least privilege (PoLP) has a wide range of uses in information security. Exercising this principle means restricting access rights for users, accounts, and processes to only what’s strictly necessary. For mobile app developers, applying PoLP is useful in limiting the permissions needed on user devices to run the application. 

When an app requests more permissions than needed for it to run, the attack surface for malicious actors widens, and sensitive user data is unnecessarily put at extra risk. By applying PoLP to user permissions, developers can approach permissions with a more security-aware mindset that verifies whether there is genuine justification for requesting a given permission before coding that into the application. 

Change the Testing Approach

The DevSecOps movement attempts to ensure app security becomes a priority early on in the development lifecycle. This type of cultural change is not easy to achieve, though. A good way to start is by changing your testing approach to a continuous one rather than periodic tests. Use threat modeling and automated tests to continuously look for new vulnerabilities that might be unknowingly putting your app and its users at risk of a successful cyber attack. 

Use an App Shielding Solution

An application shielding solution can prove extremely valuable in protecting mobile apps from real-time attacks. Apps that are secured well but run in unsecured environments, such as on jailbroken devices or outdated operating systems, are susceptible to compromise. An app shielding solution can isolate your app from the runtime environment and protect against threats that seek to exploit these risky conditions. Such solutions are also known as Runtime Application Self Protection (RASP) solutions. They are relatively easy to implement and offload the work of the developer to a product to handle the security aspect; hence they are highly popular and in fact are the de-facto baseline for certain industries like government and banking apps.

Closing Thoughts

As a developer, it’s critical to start adopting the mindset that security is as important as other concerns, such as innovation and user experience. Begin applying these best practices and you’ll see noticeable improvements in the security of any mobile app you’re tasked with working on. 

At i-Sprint, we have solutions that can help developers strengthen mobile app security, implement strong authentication and session management. AccessMatrix IAM suite and YESsafe AppProtect+ provides application shielding while a range of best-in-class IAM solutions add extra security to user authentication. 

Contact us today for more information.