-
-
-
-
URL copied!
Writing secure code is essential for any app developer. We’ve all heard horror stories about apps that have been hacked and exposed sensitive user data. So what are the best ways to ensure your mobile app is secure? Are you doing enough to protect your code?
Mobile device security should be a top priority for anyone developing software for mobile platforms. You must be aware of the potential risks and make sure your coding practices are up-to-date with industry best practices. By understanding how attackers target mobile applications, you can take steps to minimize those threats.
In this two-part series, you’ll learn more about the best practices for writing secure code for mobile apps and discover several methods to improve your own code.
Use HTTPS instead of HTTP
Hypertext Transfer Protocol Secure (HTTPS) is the most traditional and secure way to access the web. It combines two different protocols: Hypertext Transfer Protocol (HTTP) and SSL or TLS protocol. It’s also a secure way of sending requests to a server from a client. The communication is entirely encrypted, which means no one can know what you are looking for or talking about online.
HTTPS Encryption also defeats sniffing attacks by concealing the traffic’s meaning from everyone except those who know the secret of decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than the plain text form of JSON or XML body, HTML, links, cookies, or passwords.
For this reason, developers must restrain from using HTTP URLs in their apps. The server must enforce the use of HTTPS to prevent insecure connections from being established.
Recommended reading: Confidential Computing: Third Pillar of Data Encryption
Consider POST for sending sensitive data over GET
The HTTP POST method does not expose information via the URL. With GET, essential information is passed as part of the URL, thus exposing information in server logs, browser history, or caches.
In addition, sending sensitive information via GET parameters makes it easy to alter the data submitted to the server in sniffing attacks. This is yet another security threat with GET is a situation in which a third party sends a link to the end user.
As a rule, you cannot email a link that will force a POST request. Although, you can send a link with a malicious GET request.
Use separate channels of communication for sensitive data
Security should not rely on one channel of communication. The best practice for this situation is to use separate communication channels for sharing sensitive information such as a PIN or password.
For example, you can use an HTTPS network connection to share encrypted data between the client and server, and then use APNS, GCM or SMS to share the PIN or token with the client app.
That way, even if one channel of communication is compromised, the security of the overall system remains intact.
Recommended reading: Security Training for the Development Team
Accept only valid SSL certificates
An SSL certificate from a trustworthy provider verifies that you are what you say you are. Otherwise, anyone can make their own certificate for google.com or thebank.com and pretend to be someone else.
For this reason, your HTTPS connection must reject all SSL certificates that are invalid for any reason.
Follow secure coding practices from respective platforms
Every platform publishes and promotes the use of an extensive set of secure coding practices and guidelines. Mobile App developers must be aware of and follow these known secure coding practices. More importantly, they should be part of the code review checklist.
Secure coding practices include performing input validation, being careful with memory management, not using insecure C functions, avoiding the use of immutable containers when storing sensitive data, etc. But remember that this is just a subset of extensive list provided by the respective platforms.
Must have jailbroken or rooted device detection
Jailbroken and rooted devices are prone to a number of security threats, and can compromise a user’s personal or company data in many ways.
Some of these threats are; brute force attacks on passcodes; a malicious app with privileged access may drain battery life or destabilize the operating system; remote attackers can exploit a secure shell server on such a device, get access to your application’s sandbox, and copy sensitive data.
All apps must be able to detect jailbroken or rooted status of the device and must limit its functionality, erase data completely, or silently notify the authorities.
Verify data and files integrity with hash
Examining the integrity and authenticity of the data and files transferred between your app and server can be very important to your app’s security. Simple implementation of hash functions for this can add great value to security.
When using hash functions for integrity, check the files and make sure you use a different communication channel to deliver the hash than that used for data and files.
Writing Secure Code
Following best practices for writing secure code is essential for any mobile app development project. By taking the time to design your app with security in mind, you can mitigate potential risks and help ensure that your data is adequately safeguarded.
Keep reading our secure code writing best practices guide here in part two.
Learn more:
Top Insights
Innovators and Laggards: The Technology Landscape of 2019
Digital TransformationPerspectiveAutomotiveCommunicationsConsumer and RetailFinancial ServicesHealthcareManufacturing and IndustrialMediaTechnologyTop Authors
Blog Categories
Let’s Work Together
Related Content
Unlock the Power of the Intelligent Healthcare Ecosystem
Welcome to the future of healthcare The healthcare industry is on the cusp of a revolutionary transformation. As we move beyond digital connectivity and data integration, the next decade will be defined by the emergence of the Intelligent Healthcare Ecosystem. This is more than a technological shift—it's a fundamental change in how we deliver, experience, … Continue reading Best Practices for Writing Secure Code for Mobile Apps (Part 1) →
Learn more
Share this page:
-
-
-
-
URL copied!