-
-
-
-
URL copied!
Writing secure code is essential for any app developer. We’ve all heard horror stories about apps that have been hacked and exposed sensitive user data. So what are the best ways to ensure your mobile app is secure? Are you doing enough to protect your code?
Mobile device security should be a top priority for anyone developing software for mobile platforms. You must be aware of the potential risks and make sure your coding practices are up-to-date with industry best practices. By understanding how attackers target mobile applications, you can take steps to minimize those threats.
In this two-part series, you’ll learn more about the best practices for writing secure code for mobile apps and discover several methods to improve your own code.
Use HTTPS instead of HTTP
Hypertext Transfer Protocol Secure (HTTPS) is the most traditional and secure way to access the web. It combines two different protocols: Hypertext Transfer Protocol (HTTP) and SSL or TLS protocol. It’s also a secure way of sending requests to a server from a client. The communication is entirely encrypted, which means no one can know what you are looking for or talking about online.
HTTPS Encryption also defeats sniffing attacks by concealing the traffic’s meaning from everyone except those who know the secret of decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than the plain text form of JSON or XML body, HTML, links, cookies, or passwords.
For this reason, developers must restrain from using HTTP URLs in their apps. The server must enforce the use of HTTPS to prevent insecure connections from being established.
Recommended reading: Confidential Computing: Third Pillar of Data Encryption
Consider POST for sending sensitive data over GET
The HTTP POST method does not expose information via the URL. With GET, essential information is passed as part of the URL, thus exposing information in server logs, browser history, or caches.
In addition, sending sensitive information via GET parameters makes it easy to alter the data submitted to the server in sniffing attacks. This is yet another security threat with GET is a situation in which a third party sends a link to the end user.Â
As a rule, you cannot email a link that will force a POST request. Although, you can send a link with a malicious GET request.
Use separate channels of communication for sensitive data
Security should not rely on one channel of communication. The best practice for this situation is to use separate communication channels for sharing sensitive information such as a PIN or password.Â
For example, you can use an HTTPS network connection to share encrypted data between the client and server, and then use APNS, GCM or SMS to share the PIN or token with the client app.
That way, even if one channel of communication is compromised, the security of the overall system remains intact.
Recommended reading: Security Training for the Development Team
Accept only valid SSL certificates
An SSL certificate from a trustworthy provider verifies that you are what you say you are. Otherwise, anyone can make their own certificate for google.com or thebank.com and pretend to be someone else.
For this reason, your HTTPS connection must reject all SSL certificates that are invalid for any reason.
Follow secure coding practices from respective platforms
Every platform publishes and promotes the use of an extensive set of secure coding practices and guidelines. Mobile App developers must be aware of and follow these known secure coding practices. More importantly, they should be part of the code review checklist.
Secure coding practices include performing input validation, being careful with memory management, not using insecure C functions, avoiding the use of immutable containers when storing sensitive data, etc. But remember that this is just a subset of extensive list provided by the respective platforms.
Must have jailbroken or rooted device detection
Jailbroken and rooted devices are prone to a number of security threats, and can compromise a user’s personal or company data in many ways.
Some of these threats are; brute force attacks on passcodes; a malicious app with privileged access may drain battery life or destabilize the operating system; remote attackers can exploit a secure shell server on such a device, get access to your application’s sandbox, and copy sensitive data.
All apps must be able to detect jailbroken or rooted status of the device and must limit its functionality, erase data completely, or silently notify the authorities.
Verify data and files integrity with hash
Examining the integrity and authenticity of the data and files transferred between your app and server can be very important to your app’s security. Simple implementation of hash functions for this can add great value to security.
When using hash functions for integrity, check the files and make sure you use a different communication channel to deliver the hash than that used for data and files.Â
Writing Secure Code
Following best practices for writing secure code is essential for any mobile app development project. By taking the time to design your app with security in mind, you can mitigate potential risks and help ensure that your data is adequately safeguarded.Â
Keep reading our secure code writing best practices guide here in part two.Â
Learn more:
Top Insights
Best practices for selecting a software engineering partner
SecurityDigital TransformationDevOpsCloudMediaMy Intro to the Amazing Partnership Between the...
Experience DesignPerspectiveCommunicationsMediaTechnologyAdaptive and Intuitive Design: Disrupting Sports Broadcasting
Experience DesignSecurityMobilityDigital TransformationCloudBig Data & AnalyticsMediaLet’s Work Together
Related Content
Enterprise GenAI: The Time to Focus on High-ROI Use Cases is Now
In the relentless pursuit of digital transformation, enterprises are constantly seeking innovative avenues to maintain a competitive edge. Generative Artificial Intelligence (GenAI) stands out as one of the most promising frontiers in this quest. Unlike traditional AI, which primarily focuses on data analysis and interpretation, GenAI has the unique ability to generate new, original content, ideas, and solutions, making it an indispensable tool for businesses across various sectors.
Learn More
DevOps for Customer First Strategy
In the healthcare industry where medical insurance providers are competing with each other to acquire more and more customers, evaluating customers' application to assign a risk level is of prime importance. This helps in formulating the policies and the premium that a customer needs to pay. In order to work on this the insurance companies must share their data which is highly susceptible of being stolen and misused against them by their corporate rivals.
Learn More
Master the skills of QAOps
Recently, the IT world has been experiencing an explosion of different terms related to operations. The good old days—when the global order was defined around a rule of thumb and IT as separate from business—are gone, never to return. Dozens of ‘Ops’ crowded the sphere of software testing: starting with trendy DevOps.
Learn More
The rise of digital cognitive behavioral therapy
In today’s world, more and more people are struggling with depression, anxiety, addiction and a whole range of similar mental health problems. In most of the cases, people are not even aware of the fact that they are fighting with some kind of mental illness. Managing these problems is not an easy task and ignoring these problems calls for unwanted actions and severe consequences, but fortunately we have Cognitive behavioral therapy (CBT) to help people manage their problems by making simple changes in the way they think and behave.
Learn More
Virtual Health Assistant – Transforming Value Based Care
Digital virtual health assistant, also known as virtual health care assistants, are digital platforms that use artificial intelligence (AI) technology to assist individuals manage their health and wellness. These virtual assistants use natural language processing, machine learning and other AI powered technologies to provide a wide range of services.
Learn More
ML – federated learning – Application in life insurance industry
In the healthcare industry where medical insurance providers are competing with each other to acquire more and more customers, evaluating customers' application to assign a risk level is of prime importance. This helps in formulating the policies and the premium that a customer needs to pay. In order to work on this the insurance companies must share their data which is highly susceptible of being stolen and misused against them by their corporate rivals.
Learn More
FinGreen 2.0 : Exploring the role of climate fintech in creating a more sustainable future
There are a number of similar sounding terminologies that a user would come across when exploring a data catalog. In this section we look at the important terms and how they are related to each other.
Learn More
The future of frontend development: Emerging trends and technologies
Let’s start with the history of the Web. It was 1991 when the first web page went live and our lives were changed drastically. Today, millions of people spend hours surfing the internet, making money and investing money, gaining university degrees, listening to music, and watching movies, educational theories, videos, and more.
Learn More
Share this page:
-
-
-
-
URL copied!