I'm sure we're all familiar with stories of popular websites being hacked, or of IT systems in airlines and banks coming under attack. We're perhaps less familiar with the mobile apps that power our smartphones being compromised, yet it's an increasingly popular target for attackers.
An accomplished hacker can compromise an app in a matter of minutes, thus gaining access to your database, your ERP, your intellectual property, or even your customers. It’s crucial, therefore, that app developers do all they can to ensure their software is safe and secure.
In an ideal world, apps would undergo an independent security audit before they’re launched onto the App Store or Google Play. This is especially important for apps that are dealing with extremely sensitive information, such as banking or government apps. It’s a process that should ideally start as early in the software development process as possible to ensure that security is considered from the start.
Developers should also endeavor to follow application security guidelines that are already well established, such as Mobile Security Testing Guide, developed by Open Web Application Security Project (OWASP). The guide outlines a number of possible sources of attack, and urges developers to ensure that their particular app isn’t susceptible to attack along any of them.
Another key area of vulnerability is the very source code that powers the apps themselves.
Typically, when apps are shipped, the source code is released as plain text, which makes it easy for everyone to view, whether friend or foe. It’s a sufficient threat that it earned a mention in the ISO 27001 information security standard, with the standard highlighting that the source code needs to be adequately protected otherwise attackers have a strong means of compromising systems, often without detection.
Source code vulnerabilities bring a number of risks, not least of which is the ability for attackers to directly modify the code, change the system API, modify the contents of memory or manipulate the data and resources of the application. This would allow the hacker to change the intended use of the app.
Perhaps even more dangerously, access to the source code makes it much easier for hackers to create an army of copycats in the hope that they fool users into installing it for phishing purposes.
Keeping code safe
To battle against this, it’s important that developers implement robust source code protection methods that obfuscate the source code to make cloning and reverse-engineering apps that much harder. These methods should also enable runtime defenses that thwart any copycats and lock any potential attackers out.
The following are a number of the most common methods used to keep source code safe from attacks:
- Encryption - For apps, the source code is often the most valuable thing, especially on the programming side of things. As such, it is sensible to explore options to encrypt the key bits of data when they’re both in transit and also at rest. This will play a major role in keeping your code secure.
- Monitoring - Developers should also strive to keep a constant watch over their data, with alerts setup to notify them of any suspicious activity. As with so many problems in life, early detection allows for easier and more effective remedial actions, while also providing insights to bolster defences in future.
- Access restriction - Restricting access to the source code is obviously one of the more straightforward means of defence. While this might not be possible once the app is published, within your organization, access should be limited purely to those members with hands-on roles. Even among these employees, two-factor authentication should be deployed to ensure only the right people have access to your code.
- Copyright - Copyright law is one of the better ways of protecting your source code, and it’s sensible to treat your code the way you would with any other part of your intellectual property. This might even include issuing patents to ensure you’re fully protected by the weight of the law.
While each of these approaches may be valuable in isolation, it’s often best to utilize as many of them as you can to ensure that you have all of your bases covered. After all, as far as your source code is concerned, it’s rare that you can ever have too much protection.
Mobile apps are an increasingly important part of our lives, and provide an intersection between the public and vital services. Valuable as these applications are to users, so too are they a tantalizing target for attackers keen to get their hands on such a treasure trove of data. As such, it’s vital that developers do all they can to ensure that their source code is as safe as possible.