Best Practices for Writing Secure Code for Mobile Apps (Part 1)

Security continues to make apps running on mobile devices vulnerable; note especially the increase of mobile web browser-based hacking.

Categories: MobilitySecurity

Writing secure code is essential for any app developer. We’ve all heard horror stories about apps that have been hacked and exposed sensitive user data. So what are the best ways to ensure your mobile app is secure? Are you doing enough to protect your code?

Mobile device security should be a top priority for anyone developing software for mobile platforms. You must be aware of the potential risks and make sure your coding practices are up-to-date with industry best practices. By understanding how attackers target mobile applications, you can take steps to minimize those threats.

In this two-part series, you’ll learn more about the best practices for writing secure code for mobile apps and discover several methods to improve your own code.

Use HTTPS instead of HTTP

Hypertext Transfer Protocol Secure (HTTPS) is the most traditional and secure way to access the web. It combines two different protocols: Hypertext Transfer Protocol (HTTP) and SSL or TLS protocol. It’s also a secure way of sending requests to a server from a client. The communication is entirely encrypted, which means no one can know what you are looking for or talking about online.

HTTPS Encryption also defeats sniffing attacks by concealing the traffic’s meaning from everyone except those who know the secret of decrypting it. The traffic remains visible to the sniffer, but it appears as streams of random bytes rather than the plain text form of JSON or XML body, HTML, links, cookies, or passwords.

For this reason, developers must restrain from using HTTP URLs in their apps. The server must enforce the use of HTTPS to prevent insecure connections from being established.

Recommended reading: Confidential Computing: Third Pillar of Data Encryption

Consider POST for sending sensitive data over GET

The HTTP POST method does not expose information via the URL. With GET, essential information is passed as part of the URL, thus exposing information in server logs, browser history, or caches.

In addition, sending sensitive information via GET parameters makes it easy to alter the data submitted to the server in sniffing attacks. This is yet another security threat with GET is a situation in which a third party sends a link to the end user. 

As a rule, you cannot email a link that will force a POST request. Although, you can send a link with a malicious GET request.

Use separate channels of communication for sensitive data

Security should not rely on one channel of communication. The best practice for this situation is to use separate communication channels for sharing sensitive information such as a PIN or password. 

For example, you can use an HTTPS network connection to share encrypted data between the client and server, and then use APNS, GCM or SMS to share the PIN or token with the client app.

That way, even if one channel of communication is compromised, the security of the overall system remains intact.

Recommended reading: Security Training for the Development Team

Accept only valid SSL certificates

An SSL certificate from a trustworthy provider verifies that you are what you say you are. Otherwise, anyone can make their own certificate for google.com or thebank.com and pretend to be someone else.

For this reason, your HTTPS connection must reject all SSL certificates that are invalid for any reason.

Follow secure coding practices from respective platforms

Every platform publishes and promotes the use of an extensive set of secure coding practices and guidelines. Mobile App developers must be aware of and follow these known secure coding practices. More importantly, they should be part of the code review checklist.

Secure coding practices include performing input validation, being careful with memory management, not using insecure C functions, avoiding the use of immutable containers when storing sensitive data, etc. But remember that this is just a subset of extensive list provided by the respective platforms.

Must have jailbroken or rooted device detection

Jailbroken and rooted devices are prone to a number of security threats, and can compromise a user’s personal or company data in many ways.

Some of these threats are; brute force attacks on passcodes; a malicious app with privileged access may drain battery life or destabilize the operating system; remote attackers can exploit a secure shell server on such a device, get access to your application’s sandbox, and copy sensitive data.

All apps must be able to detect jailbroken or rooted status of the device and must limit its functionality, erase data completely, or silently notify the authorities.

Verify data and files integrity with hash

Examining the integrity and authenticity of the data and files transferred between your app and server can be very important to your app’s security. Simple implementation of hash functions for this can add great value to security.

When using hash functions for integrity, check the files and make sure you use a different communication channel to deliver the hash than that used for data and files. 

Writing Secure Code

Following best practices for writing secure code is essential for any mobile app development project. By taking the time to design your app with security in mind, you can mitigate potential risks and help ensure that your data is adequately safeguarded. 

Keep reading our secure code writing best practices guide here in part two. 

Learn more:

  • URL copied!