App Security Tips for Consumers and Developers

In a guest post published by Forbes, IT Security expert Charles Henderson examines the current state of app security. According to Henderson, a leading cause of app security issues has been the rush of developers to adapt to the new technology, “The rush of companies and developers into the mobile software market has led to shortcuts that have repeated many security problems already solved in older technology platforms. Mobile has been fraught with issues of caching sensitive data, incomplete encryption and simple mistakes in coding.”

Mobile app developers need to be especially careful because of their product’s portability and relatively open access. Henderson writes, “The extreme portability of mobile devices and the relative ease of obtaining physical access pose a significantly new risk – which is why a top-of-the-line, soup-to-nuts data security plan is crucial when it comes to protecting sensitive information.”

Common security issues include:

Encryption

Developers should allow for encryption any time credit card information is involved. Henderson explains, ‘The best design for a mobile credit-card reader is to embed the encryption function into the actual magnetic stripe hardware. This prevents any plain text card numbers from being saved to the device’s storage. This is the most common design, but we still test some applications that encrypt the card number on the mobile device. These alternate designs have the potential to allow malware on the device to intercept the card number before it is encrypted by the software running on the mobile device.”

Caching

Proper use of caching makes business apps run significantly faster, but it also carries potentially severe security risks. Henderson describes the risk, “When abused by programmers, sensitive data can be cached by applications. For example, your online banking username and password, checking routing and account number, account history and so on. Granted, your mobile banking application will load much faster, but if you lose your phone, that information will be available to anyone who finds it.”

Developer Tools and Utilities

Henderson notes that developers use many time-saving tools and utilities during the design process, and sometimes forget to remove such features before the prior to product release. As a case-in-point, Henderson highlights an otherwise secure banking app that his security firm recently reviewed. While the design features worked properly, his firm was surprised to find that one of the developer’s shortcuts caused the app to write “full debit card data, including card numbers, expiration dates and security code, to the phone’s log file in plain text. Reading the data was trivial once the phone was “jailbroken” – no in-depth hacking skills were required.”

It’s clear that Custom web applications need to have security features fully integrated into their operations. Henderson insists that custom applications go through rigorous third-party security testing to achieve the best results. As for consumers, Henderson suggests treating smartphones like you would a wallet. “Be careful what you keep on it and if you lose it, immediately start thinking about your risk exposure. Resetting passwords is usually easy to do and should be a high priority. Think about what credit-card numbers might be cached on your phone and consider calling your bank to have a new one issued. Most importantly, eat your way through your favorite application’s payment account before someone else does.”

What security measures do you find most desirable in a mobile app?