Top Tips for Mobile Application Security

Top Tips for Mobile Application Security

As our use of mobile phones continues to increase, so does the risk of cyber criminals stealing and using your personal data for fraudulent purposes. The follow tips will help to ensure that you are eliminating the relevant risks.

Mobile devices have altered our lives and are now used for a range of everyday activities, including shopping, banking, listening to music and even controlling household appliances. However, as our mobile phone usage increases, so do the risks from cyber criminals, especially when it comes to making payments, doing online banking and conducting payments via mPOS applications.

An RSA Security report that was released in Q2 of 2018 drew attention to the fact that 39% of all fraudulent transactions during the first quarter were carried out on mobile applications.

In addition to this, according to the Lexis Nexis 2018 study, 46% of all fraud in financial services originates from applications. It was also noted that there had been a significant increase in fraudsters using malware, including mobile banking trojans designed to steal credentials and money from customers’ bank accounts and credit cards.

The threat of Trojans is a significant threat in terms of Android devices due to applications that are included in the Google Play Store undergoing less thorough vetting processes. Android phones can also be configured to download applications from sources other than the Play Store, meaning that the risk of rogue applications being installed is significantly higher.

It is not just financial services that are being targeted though. The emergence of the Internet of Things in the vehicle sector means that devices can be used to communicate with cars, and this is also an area that fraudsters are looking to exploit. For example, in the case of the Nissan Leaf, security testers were able to demonstrate how it was possible to gain unauthorised access to the vehicle and control the heated steering wheels, seats, fans and the air conditioning. This was all possible from a remote location and when done to an electric vehicle it can drain the battery and render it immobile.

It is imperative that device security and protecting applications are key considerations for both enterprises and end users.

Consider Security from the Start

Manufacturers need to consider and build in security from the start of the development process, it is should not be a simple afterthought. While web applications depend on server security, mobile applications are stored directly on users’ devices, so it is important that the application is protected on the device on which it is installed.

Software developers should be educated on the importance of secure coding practices and code from the perspective of a hostile environment. This ensures that applications are built to be robust enough in the face of such circumstances.

Testing is Imperative

Research by Gartner shows that an estimated 75% of mobile applications fail basic security testing. The number of security vulnerabilities in the Android and iOS mobile operating systems are also a source of concern.

Application development should have continuous testing from the start, with testing performed at each stage of the production process to identify and eliminate any weaknesses. Rigorous security testing will assist in unearthing vulnerabilities that can be fixed easily but, if left until later in the lifecycle, can become major security flaws. It is of the utmost important that testing is not compromised because of an approaching deadline.

Up to Date Cryptographic Techniques

 The latest cryptographic techniques should always be implemented to protect your mobile application. Algorithms, including the MD5 and SHA1, are no longer enough in the face of modern digital security threats and the latest security algorithms need to be implemented into the live app.

Educate your users

 Unfortunately, end users tend to be the weakest link in cybersecurity protection and the main source of failures.

Scammers are becoming increasingly sophisticated, and branching out beyond the standard phishing emails. Although email continues to be their primary method, it is closely followed by utilising infected websites, social media scams, and stealing digital identities and passwords.

The most simple way in which scammers can steal money or personal information is to trick users into unwittingly telling them private information by piquing their curiosity and encouraging them to click on rogue links in a business or personal email.

The overwhelming majority of data breaches involve compromising someone’s credentials. This is particularly the case when it comes to hacking into a company. The preferred way in which hackers breach and bypass a company’s cyber security controls is by stealing an employee’s password.

Therefore, although you can employ robust methods on your side, it is essential that users are aware that their actions can pose a genuine security risk. For example, it is prudent to educate them regarding the threats of jailbroken or rooted devices, and that apps downloaded from unverified sources have the potential to read and steal their personal and financial information.

This education should also extend to making sure that your users are fully aware regarding the dangers of sharing information on social media as cybercriminals are known to search social media for personal information. Users also need to be aware that work and personal information are all connected in cyberspace and it is no longer possible to separate them.

The use of social media, working from home or even when traveling, and the Internet of Things (IoT) connecting a variety of household devices means that cybersecurity is the responsibility of everyone. It is a real possibility that a compromised personal account could allow a hacker to discover an extensive amount of information about a user and make it even easier to hack into a company.

Tagged with
Translate »