Guest Post – Mobile App Security Threats and Secure Best Practices Part 1

A guest post by KC Karnes

Is your mobile app secure?

It shouldn’t come as a surprise that mobile apps are targeted by hackers, given the rapid adoption and increased usage globally. By some estimates, one out of every 36 mobile devices has high-risk apps installed.1

An even more sobering mobile app security statistic for businesses to hear: 71% of fraud transactions came from mobile apps and mobile browsers in the second quarter of 2018 compared to 29% on the web, up 16% year over year.

Although the number of mobile app attacks will all but certainly increase, integrating mobile app security into your strategy is essential to protecting your users and the trust you’ve established.

Cybercriminals are not lacking in creativity, they’re hacking in it (sorry, that will be the first and last pun).

From accessing the microphone, camera, and location of a user’s device, to building convincing app clones — there are many strategies hackers employ to gain access to, and exploit, personal information of unsuspecting mobile app users.

Below are some common mobile app security threats you should be aware of. It’s important to note this list is by no means exhaustive, but simply a drop in the bucket.

01. Lack of Multifactor Authentication

Most of us are guilty of using the same insecure password across multiple accounts. Now think about how many users you have. Even if a user’s password was compromised through a breach at a different company, hackers often test passwords on other apps, which can lead to an attack on your company.

Multifactor authentication, often using two of the three possible factors of authentication, does not rely solely on the user’s password before certifying the user’s identity. This additional layer of authentication can be the answer to a personal question, an SMS confirmation code to input, or biometric authentication (fingerprint, retina, etc.).

02. Failure to Encrypt Properly

Encryption is the process of transposing data into an indecipherable code that is ideallyonly viewable after it has been translated back using the secret key. In other words, encryption changes the sequence of a combination lock, but be careful, hackers are gifted at picking locks.

According to Symantec, 13.4% of consumer devices and 10.5% of enterprise devices do not have encryption enabled. This means that if hackers gain access to those devices, personal data will be available in plain text.

Unfortunately, the software companies that do use encryption are not immune to an honest mistake. Developers are human and make mistakes that hackers can exploit. When it comes to encryption, it’s important to assess how easy it could be to crack your app’s code.

This common security vulnerability can have severe consequences including intellectual property theft, code theft, privacy violations, and reputational damage, just to name a few.

03. Reverse Engineering

The nature of programming exposes many apps to the very real threat of reverse engineering.

The healthy amount of metadata provided in code meant for debugging also helps an attacker understand how an app functions.

Reverse engineering can be used to reveal how the app functions on the back-end, expose encryption algorithms, modify the source code, and more. Your own code can be used against you and pave the way for hackers.

04. Malicious Code Injection Exposure

User-generated content, like forms and comments, can often be overlooked for their potential threat to mobile app security.

Let’s use the login form as an example. When a user inputs their username and password, the application communicates with server-side data to authenticate. Apps that do not limit what characters a user can successfully input run the risk of hackers injecting code to access the server.

If a malicious user inputs a line of JavaScript into a login form that does not guard against characters like the equal sign or colon (common in JavaScript), they can easily access private information.2

05. Data Storage

Insecure data storage can happen in many places within your app: SQL databases, cookie stores, binary data stores, and more. These can be caused by vulnerabilities in the OS, frameworks, compiler, or new and jailbroken devices.

If a hacker gains access to a device or database, they can modify the legitimate app to funnel information to their machines.

Even sophisticated encryption protections are rendered useless when a device is jailbroken or rooted, which allows hackers to bypass operating system restrictions and circumvent encryption.3

Many times, insecure data storage is caused by a lack of processes to handle cache of data, images, and key presses.

On Friday we will publish the rest of this guest post.



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.