Information Security of Mobile Devices Applications

Information, it is hard to imagine life without mobile devices. We use them everywhere to facilitate our lifestyle. They help us to communicate with each other, have fun, and even make purchases. We use them at home and at work. These devices accompany us during our business trips and vacations. Our children use them for educational purposes and for amusement. They are part of our daily lives.

Information

A mobile device usually has some operation system (OS) installed on it. The OS allows us to perform basic operations with the device, namely make calls, send SMS, take pictures, surf the Internet, etc. Feature set of OS can be expanded with installation of additional specific mobile apps.

See More:- How to create the perfect strong password (and not forget it)

Local data storage

According to MASVS, an application must use system credential storage facilities to store sensitive data, such as user credentials or cryptographic keys (recommendation 2.2).

Usually, Android OS uses account.db database to keep application tokens. A root permission is necessary to access that database. The assumption that account.db remains inaccessible holds true only for the newest Android version, because older Android versions may contain known vulnerabilities, which can be exploited to get the root permission. Anyway, an application should not keep user credential in that database as a plain text. Instead, it needs to use tokens that become expired within some time or after user logging out.

Network communication

Secure network communication likely is the most important aspect of application security. To exchange sensitive user data between a remote service endpoint and a client application, a secure protocol must be used. TLS is the only protocol recommended by MASVS. It is important that only certificates signed by a valid certificate authority (CA) be accepted.

See More:- Slow Wireless Internet Can Kill Small Business

Application integrity

It is important that a client is always using an original mobile application supplied by a vendor. Besides, it must be extremely difficult for a hacker to develop a fake mobile application that has some changes in its logic to stole or compromise user data. Therefore, a mobile application must be resilient to reverse engineering.

Conclusion

  • Mobile application security is vital for the applications that handle user data. To test the security level of your application, we recommend that Mobile AppSec Verification Standard (MASVS) should be used.
  • The most important aspects of the mobile application security are local data storage security; authentication and session management; network communication, and resiliency against reverse engineering.