This is a guest post by Brian C. Reed, NowSecure Chief Mobility Officer 

In the race to get innovative new mobile apps or cool new features added to existing mobile apps out the door faster, secure coding practices in mobile app development aren’t always at the top of every developer’s list. In fact, our NowSecure benchmarks show that some 85 percent of iOS and Android apps in the Apple App Store and Google Play have 1 or more security issues and bugs (i.e. security vulnerabilities). Wow, that’s pretty rough security stat to say the least!

Our team at Now Secure has experience testing over a million apps over the last decade, which gives us a unique perspective on the good, the bad and the ugly when it comes to secure mobile app development and security testing. In this post we discuss the most frequent mobile app coding mistakes on iOS and Android that lead to security issues so you can build more secure apps faster with fewer security bug showstoppers.

Inside The Mobile Attack Surface

So we can better understand how to build secure code that will stop an attacker, let’s start with a quick view into the mobile attack surface from the point of view of an attacker. The mobile attack surface can be broken down into four areas: data at rest on the device, data in motion transmitted between the mobile app on device and backend, functionality within the mobile app code itself, and the backend APIs and endpoints the mobile app communicates with. As shown in the figure below, many of the same exploitable security issues or vulnerabilities exist in both web and mobile apps such as buffer overflows, cross-site scripting (XSS), and SQL injection (SQLi). But iOS and Android present a number of new vectors like dynamic runtime injection, intent hijacking, and a plethora of gaps that can lead to man-in-the-middle attacks.

While developers are not expected to be advanced security gurus with deep understanding of all these attacks, these four areas provide a framework for developers and security pro’s to align and focus their efforts on delivering secure mobile apps.

Let’s look at the top 5 mobile app security failures based on years of mobile app security testing and what to do about them. As the chart shows below, the top 5 security failures span:

1. data at rest with insecure data storage
2. data in motion with insecure communication
3. app and backend functionality with insecure extraneous functionality
4. app functionality with insecure client code quality
5. lack of obfuscation which exposes mobile apps to reverse engineering and attacks

Source: NowSecure Mobile App Security Benchmarks Q1, 2018

The Top 5 Mobile App Security Failures

1. Insecure Data Storage

50 percent of all mobile apps tested exhibit “Insecure Data Storage” issues leaving data exposed that could be exploited by an attacker and/or violate industry compliance regulations. Data storage security bugs include insecurely stored data in SQLite DB, log files, plist files, xml data stores or manifest files, binary data stores, cookie stores, and/or SD cards. Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more. Overall, Android apps have a much higher rate of data leakage than iOS mobile apps, with a shocking 52% of Android apps surfacing the “world writable executable” vulnerability though it may be difficult to exploit.

PREVENTION: Developers need to ensure all data is securely stored at all times on the device and ensure they do not write any sensitive data to local files and system logs. Security pro’s or outsourced security pen testing services need to test thoroughly for any unencrypted data leakage on device.

2. Insecure Communications

48 percent of all mobile apps tested exhibit “Insecure Communication” issues which leaves those mobile apps susceptible to man-in-the-middle (MITM) attacks that do not require hands on device to exploit. Insecure communication security bugs include SSL/TLS certificate issues, poor handshake and HTTP transfer of data in clear text. Critical data includes account credentials, PII, email address, geolocation, IMEI, serial number, wifi info and more. Overall iOS has higher rate of network security issues than Android. A surprising 30% of iOS mobile apps and 42% of Android apps use insecure HTTP (not HTTPs).

PREVENTION: Developers need to ensure all data is properly encrypted in transit at all times including proper use of certificates, and this includes 3rd party and OSS libraries that must encrypt all traffic as well. Security pro’s or outsourced security pen testing services need to test for any unencrypted data leakage on device via tests for proper use of SSL, cert pinning and look for sensitive data in transit.

3. Insecure Extraneous Functionality

47 percent of all mobile apps tested reveal “Extraneous Functionality” issues. In many instances these issues can be difficult to identify without deep security testing. Developers may include hidden backdoor functionality or other internal development security controls to speed dev & testing processes that are not intended to be released into a production environment but somehow remain (e.g. debug flag). Example data found in testing includes information on back-end test, demo, staging, or UAT environments, administrative endpoints, two-factor authentication bypass for dev/testing, and more. A very concerning 92% of Android apps tested have extraneous functionality issues while only a very small 2% of iOS apps show these issues.

PREVENTION: Developers need to ensure proper secure coding hygiene and add code review process to ensure extraneous information is not left in code or comments. Security pro’s or outsourced security pen testing services need to probe and try to exploit extraneous functionality to identify and address any issues.

4. Insecure Client Code Quality

32 percent of all mobile apps tested exhibit “Client Code Quality” issues specifically the code running on the device side (not backend code). In many instances these issues can be difficult to identify without deep security testing. Code Quality issues include security issues like buffer overflows, format string vulnerabilities, SQL injection, arbitrary code execution, and other exploitable mistakes. Typically the risk comes from using the wrong API, using an API insecurely or using insecure language constructs. A concerning 59% of Android apps tested have client code quality issues while only a small 4% of iOS apps show these issues.

PREVENTION: Developers need to ensure proper use of mobile APIs and secure coding practices, especially on Android. Security pro’s or outsourced security pen testing services need to ensure mobile apps are security tested on real devices in the real world to ensure full client-side mobile app security.

5. Unprotected Android Apps

62 percent of Android apps are not properly obfuscated leaving them exposed to reverse engineering from attackers. While this is not a security bug per-se, if the responsibility of the team is to deliver secure mobile apps then obfuscation should be included. Data leveraged from attacker reverse engineering can include info on back end servers and endpoints, cryptographic constants and ciphers, exploitable 3rd party libraries/OSS and other intellectual property. The built-in DRM and signing for iOS apps includes obfuscation that makes reverse engineering very difficult. But Android and Google Play include no such protection.

PREVENTION: Android developers should leverage 3rd party obfuscation tools such as the free ProGuard and even with built-in DRM process for AppStore publishing, iOS developers might consider additional protections as well. Security pro’s or outsourced pen testing services need to test for reversing to ensure proper obfuscation is in place such as using free reversing tool like APKTool or more advanced integrated testing tools.

Conclusion

All developers must take into consideration functionality, user experience and security when they build and update their mobile apps. These issues are not insurmountable and can be addressed by increasing a focus on secure mobile development best practices with developer training resources, improved security hygiene and the addition of automated security testing approach into the dev pipeline to establish a strong security baseline.

For a deeper guide with over 100 pages of API and code examples in 50+ best practices, see the free download Secure Mobile Development Best Practices Handbook from NowSecure.

Create an account on App Center today to get started.