The risk of cyberattacks to startups and scale-ups
As the mobile landscape continues to flourish, a startup or scale-up’s success can hinge on its mobile application. Alongside this growth, the risk of a cyberattack also increases, and the impact can be devastating. No company is isolated from these risks regardless of its size or product. Startups and scale-ups are at greater risk if they do not consider cybersecurity due to their smaller resources and their need to grow rapidly. The time to start considering mobile app security and applying best practices is now.
The impact of a security breach on a company
A business's encounter with a security issue can be devastating. Aside from the data implications, there are also consequences for the business's reputation, including the erosion of trust from both users and investors, legal liability, and financial and revenue losses. The mounting risk around security issues means the intention should not be to eradicate the risk but to manage it. Considering security as a standalone issue and as one wholly integrated into the product's lifecycle will safeguard the company's future.
Every product has unique requirements, and there is no one-size-fits-all approach. A banking or health app will likely have different needs than a habit-tracking application or a game; however, the overall risk patterns and strategies remain constant. Security should be considered not just from the stance of the mobile application itself but also from the device so that protection is in place should this be lost or stolen.
Common vulnerabilities of a mobile application
Common vulnerabilities that can present themselves within a mobile application include:
Insecure data storage
Sensitive data can encompass user credentials or details such as financial information. The value of this data brings with it an increased level of risk. The term data breach means an external party can gain access to this information. An external party gaining access to the device can be the cause, but so can device theft.
Authentication and authorization
Validating that users are who they say they are entails using authentication and authorization methods. The most obvious scenario is when a user logs in to the application. If the implementation has weaknesses, you are placing your users at a higher risk of being exploited by malicious actors.
Insecure communication
Almost every mobile app will perform multiple data exchanges between the device and a server during its lifetime. Every instance of this exchange presents a risk for an attacker to intercept the communication, which can expose data.
Third-party libraries
Integrating preexisting solutions through third-party libraries and APIs is a common development practice. The benefit of reduced development time carries with it a responsibility to use these carefully.
Risk management strategies for the mobile application
Now that we have understood the common vulnerabilities and risks that can present themselves to a mobile application let's look at how to mitigate them.
Data storage
Ensuring data is encrypted in transit and at rest means the risk is far lower should any data be leaked. This is because encryption makes the data more challenging to decipher. Additional steps here include storing the data via secure mechanisms such as the iOS keychain or the Android Keystore. Avoid storing sensitive data locally or sharing data with the application logs and third parties.
- Have you explored secure mechanisms such as the iOS keychain or the Android Keystore?
- Have you considered storage in transit and at rest?
- Is the data stored encrypted?
Data backups
When issues arise, efficiently backing up data can reduce the impact. Employing frequent and automated backups, ensuring these are encrypted and securely stored, and documenting the processes will assist with recovery where necessary.
- Is the recovery process clearly documented?
- Are the backup processes documented?
- Is access to backups restricted or managed?
- Are backups containing sensitive data stored securely?
Authentication and authorization
Multi-factor authentication (MFA), user sessions, and role-based access controls that define different levels of access, such as admin, support, and user, are all considerations here. MFA will ensure robust security while leveraging protocols such as OAuth, which will help to effectively manage user sessions and access permissions and lower the risk of unauthorized access with session timeouts. Additionally, ensure the ability to reset passwords is accessible and user-friendly.
- Are you using role-based access control?
- Have you implemented session management?
- Are you using secure protocols such as OAuth?
- Do you require MFA (multi-factor authentication)?
- Do you have policies around password strength?
Secure communication
HTTPS, in conjunction with SSL/TLS (Secure Sockets Layer/Transport Layer Security), should be used for secure communication. Certificate pinning can improve security. This works by ensuring communication only occurs with trusted servers, validating the server's certificate with a pinned certificate inside the application. A connection cannot be made without the pinned certificate if security is compromised.
- Are all certificates valid and up to date?
- If relevant, is certificate pinning implemented?
- Check you are using HTTPS
- Use TLS for encrypting data in transit securely
Third parties
When using any third-party libraries, it is vital to be clear about what this code is doing under the hood. Additionally, maintaining and keeping up to date with the latest versions of third-party libraries will safeguard against any security vulnerabilities.
- Ensure all third-party libraries are up to date
Development
Ensure that your development team adheres to and stays current with best practices. These include following coding standards and conventions and writing clean and maintainable code. Additionally, implementing solid documentation, code reviews, pair programming, testing, and static analysis tools can all help reduce errors and detect them early. Factor in time to address technical debt and continually work to improve the overall quality of the product.
- Are you using static analysis tools?
- Do you have a thorough testing strategy in place?
- Do you perform pair programming?
- Do you perform code reviews?
- Is documentation up to date?
APIs
Most applications implement APIs to enable data exchange between mobile applications and servers. APIs need to follow protocols for authentication, authorization, and encryption. API gateways should be employed with rate limiting to manage the number of requests that the client can make, and monitoring will further safeguard against attacks.
- Do you have solid API documentation in place?
- Are you monitoring traffic?
- Have you configured rate limiting?
- Are all keys stored securely?
- Are APIs protected where required?
Testing
Prioritize quality assurance processes; they will allow you to find vulnerabilities before the app is released. Work to integrate and sustain testing as a crucial part of your team's development cycle. Incorporate as many unit, automated, and manual tests as possible into the CI pipelines. Conduct manual testing using specific testing devices. Furthermore, specific security testing, including security audits and penetration tests, should be conducted, allowing you to identify the most high-risk areas of your product.
- Have you performed penetration testing?
- Is testing integrated into the pipelines?
- Do you have a QA plan?
- Do you have automated testing?
- Do you have a test strategy in place?
User education
You may embrace security as an opportunity to build and enhance user trust. Educate your users on security best practices, avoid common risks, and communicate any concerns. Push notifications, when used sparingly, can be a great way to inform users of issues and updates.
- Do you communicate security best practices with your users?
App deployment and release
Ensure only trusted deployment methods are leveraged and release the application through official app stores only.
- Ensure no credentials are stored in the plist file for iOS
- Are you only using trusted app stores?
Code obfuscation
Leveraging code obfuscation entails amending the code to make it harder to understand. The outcome will be that the application is more resilient to attacks, as reverse engineering will be more difficult. This is more commonly implemented on Android due to the fact the code is compiled into bytecode. On iOS, the code is compiled into native machine code. Proguard is the common tool of choice and it runs when the app is built. Third-party tools exist on iOS to do this, but they are not part of the existing toolchain, and you may wish to consider why you are looking to implement them.
- Are you familiar with Proguard and code obfuscation for Android?
RASP
Embedding RASP (Runtime application self-protection) modules or components enables the application to monitor and better defend itself against threats. Working in real-time means that a response to an issue can happen immediately, working to reduce the impact. Both Snyk and Appdome provide solutions.
- Have you explored runtime protection solutions?
Application signing
You should employ code signing, certificates, and keys to guarantee the application's authenticity and integrity. These will differ depending on whether you deploy to the Apple app store or the Google Play store.
For Apple, you will require a bundle identifier that is unique to your application; it is used to provide identification for it within the app store. When you deploy the application to a device, it will need to go through a code signing process, this is for security purposes providing protection against unauthorized code modifications. Depending on whether you wish to deploy the app to a device for development purposes or whether it is for distribution, different certificates will be required. Lastly, a provisioning profile will be required that links the bundle identifier with the certificate. It will also enable any specific entitlements required by the application, such as push notifications. Overall, it means the app can run on a device or be distributed within the app store.
For Google Play, the process is a little simpler, but you will still need to set up a package name, a signing key, and a configuration within the Google Play console. The package name is similar to the bundle identifier used by Apple. The signing key signs the app to guarantee its integrity, and the configuration will set up permissions.
- Have you set up signing keys and keystore files for Android?
- Do you have a bundle identifier, certificates and profiles for Apple?
Integrity checks
When manufactured, by default, the operating system of a mobile device sets some restrictions to protect it from vulnerabilities. When a device is jailbroken or rooted, it will have been tampered with, and its warranty voided. Undertaking checks to ensure that the user is not running a jailbroken device on iOS or a rooted device on Android will validate that the application is running in a secure environment.
- Are you performing jailbreak or root detection?
Least privilege principle
Privileges are part of many applications. When a user agrees to receive push notifications, access photos, or use their microphone, the application has to ask the user to approve permission. It is essential only to ask and grant the absolute minimum permissions. Doing so will ensure they are only given for specific functionality and not expose the device to the risk of unauthorized access.
- Have you checked that all privileges requested are at a minimum?
OWASP
While less of a specific strategy, it is worth an awareness. OWASP(Open Web Application Security Project) implements guidelines on how to secure web and mobile applications. MAS (Mobile Application Security) contains the mobile aspects. It summarizes vulnerabilities with suggestions on how to approach solving them. For mobile, the MASTG (Mobile Application Security Testing Guide) provides details for mobile app security on testing and reverse engineering. The MASVS( Mobile Application Security Verification Standard) provides standards for mobile application security.
A case study of a mobile application security breach
In 2018, the health-tracking application MyFitnessPal was affected by a data breach. During the breach, data related to user accounts, including usernames, emails, and passwords, was exposed. The application did not collect details such as social security numbers.
Early in the decade, a transition from SHA-2 to SHA-1 occurred to promote a more secure hashing algorithm. For myFitnessPal, user passwords were encrypted. However, not all of the passwords had been updated to use SHA-2.
When the incident occurred, the company's management responded quickly and asked every user to reset their password. Doing so meant they had time to amend their passwords before any attacker had much opportunity to decode the stolen ones. While the incident impacted the company and caused the stock to fall 4%, the company made the incident public and responded quickly. Consequently, within the year, stocks recovered.
What can leadership do to increase mobile security?
The most effective strategies will consider security not as a purely technical issue but as a way of fostering a culture for the entire company around it, integrating it into the whole product lifecycle. Leadership is critical to achieving this successfully.
Consider starting by defining a strategy for how you wish to integrate security and align this with your vision and values. Ensure you have a complete understanding of regulations such as GDPR and take all the parts of your product lifecycle from planning to release and embed within the processes.
One core focus point in security is responding to issues. Develop incident response plans, defining clear procedures, policies, and roles to respond to incidents. Ensure this is all documented, that the team is fully aware of it and that it is actively maintained.
By keeping communication open, you will empower your team and foster an environment of trust, which will work to your advantage if problems arise. Use reviews and audits as an opportunity to identify weaknesses and areas that need improvement. Create space within the roadmap and work on communicating this thoroughly to your team and stakeholders.
Collaboration, continuous learning, and appropriate resource allocation will promote knowledge sharing. This will ensure your development team has the tooling, resources, and understanding to implement security measures appropriately and stay on top of the latest changes, such as how AI can assist alongside concerns.
Security should not be considered a daunting challenge but an opportunity. Seek advice when necessary. If you lack resources, you can consider outsourcing security on a full—or part-time basis. The correct strategies and responses can drive the growth and success of both the product and the company.
Member discussion