Avoiding Security Vulnerabilities During The Mobile App Dev Process

 

Megha Gulati

I enjoy problem solving and seeing ideas come to life. I have a passion for architecting and implementing iOS/Android applications, and am an advocate for good engineering practices and great user experiences.

Updated Jan 19, 2021

Why is it important? 

Security plays a crucial role in mobile app development, so it’s important to use best practices to protect your mobile app against malware and viruses. Whether your mobile app is for a Start-up, an SMB, or an Enterprise leader, implementing cybersecurity best practices will keep users, and their information, safe.

What to do about it? 

Here are my tips to avoid security vulnerabilities during the mobile application development process: 

  • Only use frameworks or libraries with source files, or use precompiled third party libraries from a trusted source, since you can not always see what the third party library's code is doing under the hood.
  • Store essential personally-identifiable information encrypted on the device and leverage the inbuilt security measures built in OS - like KeyChain, which is available in both iOS and Android platforms.
  • Use certificate pinning for encrypted communications to avoid man-in-the-middle attacks, rather than relying on OS root certificates. Certificate pinning is a process of associating a host with the expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or ‘pinned’ to the host. If more than one certificate or public key is acceptable then the advertised identity must match one of the elements in the certificate chainset. This allows the application to trust only the valid or pre-defined certificates or public Keys.
  • Download development tools and libraries from Apple or Android’s download sites. There are counterfeit versions of Apple's Xcode and Android Studio available to download that produce Apps with malware.
  • Request for the permissions you need for your app. Do not add other permissions requested by third party libraries unless you know what they are being used for.
  • Do not embed API keys into your app where API can be used to access sensitive data or accounts on cloud services. API keys can be copied when the device is jailbroken or rooted.
  • Checks for jailbroken and rooted phones should be added in the code for Financial services apps, so none of the sensitive financial information is at risk of being exposed.
  • Disable screen recording and screen capturing in a financial app as an attacker could record any sensitive data.
  • Disable screen recording in any paid video content app so the content can not be recorded and redistributed. 
  • Remove unnecessary debug logs that might print sensitive information.
  • Do not display all error messages from the server side to the end users, as it can be used by attackers as hints on how the system is working.