Mobile Security: How Developers Should Protect Android Apps

In 2014, mobile app usage accounted for 86% of time spent on mobile devices, up 6% from the year before, according to the Fire Eye report. As a result of user behavior changes, organizations are facing the following major mobile security challenges nowadays:

Focusing on mobile devices and apps vulnerabilities and risks, we can flesh out the following critical threats:

So, what are the key barriers to effective mobile security today?

Are you looking to build a highly secure Android app and need professional assistance with specification, PoC, prototyping and software development?
CONTACT INTERSOG NOW!

Speaking about mobile device and apps security, I’ve outlined the following ways of avoiding / reducing threats and risks:

Mobile platforms security

iOS vs Android security

source: Symantec, 2015

 

As estimated in 2014:

ios vs android apps security

source: Lookout, Inc., 2015

It's clear as a day that Android is much more vulnerable to security breaches and data theft than Apple's iOS. Let’s review the most commonplace Android security threats.

Unlike Apple, Google uses a not so rigorous mobile security model allowing any software developer to build and publish apps anonymously, without inspection. That’s what makes Android a unique OS for smartphones, tablets, smart TVs and IoT enabled devices. Because Android is highly customizable and many hardware vendors modify the stock Android OS to better tailor software to specific pieces of hardware, it has become subject to security flaws and threats, with malware attacks surging from roughly 240,000 in 2013 to over 500,000 in Q1 2015.

Here are some of the Android security concerns that should capture your attention

Here’s what mobile developers can do in the app ideation, design and development stages to reduce security risks for Android app users:

1. Embed security in your app design

As one game developer has once said, “I have become a big believer that you can't retrofit security”. Make sure to include your app security design to your mobile project spec prior to the actual development. For instance, relying too much on client-side data storage can open doors to numerous attacks, so such things should be planned up-front of your project start.

2. Learn how to code certain aspects of your mobile product in a secure way

Check out CERT guidelines for secure coding of Android apps.

3. Test each iteration of your Android app development

Once you’ve created your security design, embedded it in your project spec and learned the basics of secure coding, you should execute frequent code scanning (within each iteration, not just at the end of the project during your mobile app QA phase) and threats models to identify any design flaws and app vulnerabilities that will creep into your app. For instance, at Intersog we follow a secure design lifecycle that envisions a lot of mobile app testing. Our QA guys working on client projects document a clear set of security use cases and test it with design abuse cases. So, after each iteration, we define a security threat model which helps us identify the threat vectors, and then apply engineering mitigations and test each model for security issues. As part of frequent testing, we also monitor network traffic which can help us identify coding libraries and frameworks that perform insecure activities.

4. Encrypt all data that should be stored on the device

Poor encryption is one of the major issues facing Android apps. You may remember a story of Starbucks whose app left all user data unencrypted on the mobile device. Historically, developers have made such common mistakes as not encrypting data on the connection to the server and unsecured storage of authentication credentials. Developers should always keep hackers and their habits in mind and always think of app data in terms of security and encryption. Check out our mobile health app we’ve built for Video Medicine and learn how it exceeds HIPAA data safety compliance.

5. Shrink the opportunities for attacks

Instead of using broad frameworks, mobile developers should focus on minimizing the app functionality to only those capabilities that are really required by users. As such, they’ll be able to shrink the opportunities for attacks, or minimize the attack surface area of the application. Instead of trusting many certificates, developers can hardcode all trusted certificates into the software. Certificate pinning allows for elimination of the attack threats.

6. Use obfuscation

Obfuscation turns your code into indecipherable gibberish which helps raise your app’s security. According to Adrian Mettler, a development engineer on the FireEye mobile team, “If you make it difficult enough to reverse engineer your application, it may make it less likely that there is a trojanized version floating around somewhere”.

Check out how developers should protect iOS apps.

Sources: Information Week, 2015; Fire Eye, 2015; ZDNet, 2015; Lookout.com, 2015; TechBeacon, 2015

Vik is our Brand Journalist and Head of Online Marketing / PR with 11+ years of international experience in IT B2B. He's also a guest blog contributor to Business2community, SitePoint, Journal of mHealth, Wearable Valley and other IT portals. You can contact him directly on LinkedIn.

Leave a comment