In this article we discuss the security and data privacy of mobile apps. We’ve learned through our App Review initiative that at least 75% of apps show insecure and vulnerable designs or implementations. Derk Tegeler, Security Director at Service2Media advises our clients in mobile security. Read his short overview of app security and privacy.
Find out why mobile is different from desktop when it comes to security and discover the most important measures you need to take into account.
Mobile vs. Desktop
There are many reasons why security on mobile devices is different from the desktop or the web. Mobile devices are truly mobile. They are used everywhere; in the car, in the train, tram and bus and very often in public spaces. They can be lost, stolen, resold or thrown away, possibly exposing dangerous data to an unintended audience.
After dissecting all the potential dangers we have seen a structure emerging: storage, communication and the apps themselves.
Data stored on the device should be protected against prying eyes (or apps). This can easily be solved with encryption or by rendering leaked data unusable. Encryption needs to be done carefully and can be a pitfall in itself.
Similar to storage, communicating data through open lines invites its own set of confidentiality problems. Interception, or ‘the man-in-the-middle-attack’, is the number one problem with networks. This can occur due to rogue Wi-Fi hotspots, challenges with the current public key infrastructure and lawful (and less lawful) interception. Mitigation measures exist and should be carefully selected and implemented.
The apps themselves or the libraries apps use are often poorly written and potentially leak data. The paramount user experience requires a different thinking when designing apps, strengthening the need for good threat modelling and novel mitigation measures.
Although not explicitly required by law, this starts with threat modelling, which is nothing more than a formalised security analysis. This model shows the weak points of a system and enables the design of an exhaustive pallet of mitigation measures.
The Law: New European Requirements
Many data protection acts require the app manufacturer to implement ‘appropriate measures’ to protect against loss or leakage of personal data. Upcoming European directives will tighten the requirements with regards to overall responsibility; data location and opt-in. Proposals are under review to levy hefty fines for organisations found to be in breach.
The premise for secure apps is:
Do not trust a mobile device, and if you must, take appropriate measures. We urge you to consider your potential data confidentiality and integrity issues with great care, and rely on experienced mobile players.
More blogs from our Security Director, Derk Tegeler: How to build secure apps – creating a chain of trust (september 2013)