Top 5 Security Risks to Ask Your Out-sourced Mobile Devs About

Top 5 Security Risks to Ask Your Out-sourced Mobile Devs About

As the need to develop for multiple mobile platforms increase, so has the need to outsource mobile development. There are software security concerns from mobile hacking that you should be aware of as you build your list of security requirements for your app. For some of you, security may not be the top concern but here are 5 questions to ask your outsourced mobile developers to save your app from ending up in the news.

1. Are you storing sensitive data?

Most organizations come to us for this reason. It’s difficult for them to test for storage of sensitive data on the device. This may include, account login, heath data, financial data or messages sent between customers.

If you outsource mobile development, remember it is difficult to avoid storing data on a mobile device. I recommend you ask for a file listing of data being stored within the app after initialization. Use this file listing to identify high risk files and ask your teams if sensitive data is stored. Only you will know what information is sensitive to your business, don’t make the mistake of thinking your outsourced developers will know.

High risk files for inspection include:

  • preferences
  • encryption keys
  • databases
  • cache (tokens, oauth)

Curious hackers can break into a lost phone for interesting personal data stored within apps. It is best to avoid storing sensitive data or use programming features built into iOS to protect your data.

2. How are you protecting communication?

Let’s face it, your customers will be using open WiFi networks. Do them a favor and ensure that any data sent by your app is sent over an encrypted channel.

It is easier to develop using Clear-Text communication, so sometimes encryption isn’t brought up as a concern. Remember that your app could be sending user credentials, photos, personal account details or financial information over the Internet. This communication should be protected to prevent someone intercepting this traffic over WiFi.

Ask your outsourced app developers if communication is sent encrypted using SSL communication or HTTPS. If your mobile app requires an even higher level of assurance, you may want to consider recent security practice of Certificate Pinning, where a certificate is “hard coded” into the app to better defend against compromised certificates. Google has implemented this in Chrome (Adam Langley of Google Security Team) and Twitter has recently promoted this.

3. Are you erasing temporary data?

Temporary screenshots (iOS) — Not many are aware of an iOS feature that takes an app screenshot when the user presses the home button and stores it in a temporary file. If the user backgrounds on a sensitive screen, e.g. bank account summary, then a screenshot is stored on the device.

Camera caches (iOS) — If you use the iOS Camera within your app, be aware that the camera stores photos in a temporary location before use. Ask your mobile developers whether they are properly disposing of this image if it is sensitive (e.g. if you are sending a photo for health purposes).

4. How can we ensure user privacy?

Privacy is not on the minds of your outsourced developer teams and not a functional requirement. Remember to ask your developers about the following privacy concerns that have got app companies in trouble.

Address book, Calendar and Photos — It wasn’t long ago that popular closed social networking app Path, got in the news for sending user’s address books over the internet without permission. Before that, LinkedIn was caught uploading your calendar information which may contain sensitive contacts and conference bridge codes. Both got mainstream news coverage.

If you are using any aspect of the user’s address book, calendar, or personal information, you must remember add a functional requirement for your outsourced developer teams that first asks permission from the user before sending.

5. Are you logging my App’s data?

The final question to ask your outsourced development team sounds simple, but is one of the common areas that developers forget to “fix” before go live. This is the area of logging. During development it is very typical for teams to log sensitive data to device logs. Unfortunately, for both Android and iOS, it is relatively easy for a hacker or even another app, to read device logs.

As a last step before your app goes live, remember to ask your outsourced teams to ensure that sensitive data that may have been logged for testing purposes is disabled and that only logs which are user generated (e.g. option to send crash logs) are allowed.

Conclusion

Outsourced development teams can be great in bringing your apps to market in short time. From a security perspective though, if your app uses sensitive data you should consider asking the above five questions to your outsourced teams to ensure proper steps are taking to protect customer data.

 

Previous Article
The Three Patterns of Software Development for SDLC Security
The Three Patterns of Software Development for SDLC Security

A one-sized fits all approach to Software Development Life Cycle (SDLC) security doesn’t work. Practitioner...

Next Article
4 Reasons Why Developers Don’t Read Secure Programming Guides
4 Reasons Why Developers Don’t Read Secure Programming Guides

At Security Compass, we had the experience of building secure programming guideline documents for a number ...