With over a thousand new mobile applications entering the market every day, smartphone and tablet software has begun a new era of software development. App developers are expected by the Fair Trade Commission (FTC) to adopt and maintain data security practices, to not rely on the ideal that all apps will be secured the same way. Some apps are simple, such as a weather app that pulls its data from another source like the NOAA, National Oceanic and Atmospheric Administration, that runs the National Weather Service. Since little data is being collected by the app, there would be far fewer security considerations required, opposed to creating a banking app that directs the user straight to their checking accounts. It is important for every app developer to understand a few core concepts that will help keep their app security up to par.

As an application developer, you cannot trust that your own users won’t try to hack you. Major security flaws are associated with building a backend system or a database that trusts unfiltered data from client apps. It is important for the developer to understand that a mobile platform alone may not be enough to protect your users or data. Communication and security standards need to be set internally with the users, so they understand the limits of the application and what security risks are introduced by having users input data.  Security concerns may include SQL Injection, XSS (Cross Site Scripting), XML Injection, and a number of cookie-manipulation attacks. Injection flaws allow the hacker to slip malicious code or statements through an application to another system in attempts to gain access to database contents.

The idea of “don’t roll your own crypto” is a phrase as common to security professionals as “don’t get into a stranger’s van.” Most people don’t know the dangers that come from writing their own cryptography and it is remarkable how overlooked this concept actually is. Cryptography is a highly advanced science where many secure, open-source encryption solutions exist for anyone to use in their application. Encryption vulnerabilities are a security flaw in themselves which serve to keep ‘secret data secret,’ rather than obfuscating other flaws.

Examples of secure, popular algorithms include, AES, Twofish, RSA and Whirlpool. These are considered secure specifically because everyone knows exactly how they work and no one can break them, yet. They’ve been routinely vetted by one cryptanalyst after another and have been proven secure. Any custom-built encryption doesn’t have this level of test-through-fire validity, and is a huge liability those using it. Similarly, PRNG (pseudo-random number generators) are used to generate random numbers for the purpose of session-handling and cookies. This helps prevent predictive cookie-manipulation attacks. Every major development language has library functions for session handling, though some people still insist on making their own.

Once preventative measures have been taken for the security of the application, it is important to introduce some redundancies and tracking into the system to ensure safety of data and ability to see if someone has tried to get into the system. Typically, the vast majority of security related incidents are discovered after the fact and have been reported by an outside party, so logging tools help discover the source. To identify malicious use of the app, a developer must utilize server logging, error detections, and similar monitoring tools for identifying malicious behavior.

Some free tools for small organizations are available to provide logging and error-detection. For instance, tools like Splunk work well for log-aggregation, which makes it easier to identify problems, both for user experience and security concerns. The tool “indexes and makes searchable data from any app, server or network device in real time including logs, configuration files, messages, alerts, scripts and metrics.” Database logins, administrative access, and other sensitive areas should be highly monitored as well. A multitude of tools exist for such purposes.

Since so many applications are being developed every day, mobile app security is an emerging challenge in the market. Developers have not only a legal responsibility to ensure their programs and data are secure but also a moral responsibility that the application will keep their information safe.

If your team is in the process of creating a new disruptive mobile technology or just a simple mobile web application, it can help to get an outside perspective before launching (check out what you need to know before launching). Team Rhino offers secure code review throughout the development process to make sure that your team is developing something that will withstand beta and beyond.