As mobile apps move from casual gaming apps to financial management and enterprise, security is becoming increasingly important. Thinking about mobile apps from perspective of security can bring many challenges, and security is often ignored in the development process, which results in apps that are easily hacked and can expose private data if exploited.
Following infographic by Kaspersky Lab shows the growing threat of Malware on Android:
Developers should keep in mind certain ways of securing the data in mobile apps. More often than not, mobile apps are not a standalone system; they interact and exchange data between different systems, which can potentially expose the data when it is being exchanged, or can easily expose the source of the data for example a private API. Hence, it is important for developers to follow the best practices in developing mobile apps with enhanced security.
Planning the application with security in mind
Identify the level of security that will be required for the type of app you are developing, for example a financial app that manages a users credit card information will require a robust level of security as compared to a gaming app. Brainstorm the security threats that may arise: platform vulnerabilities, in case the device is stolen, code reviews and so on.
Retrieving encrypted information from a mobile phone storage can be a lot easier than hacking a secure server. Thus, you should consider storing user information such as credit cards or other sensitive data on a web server (Using a secure mechanism for data transfer of course).
Securing the APIs
If the mobile app is relying on an API, for example an enterprise web service, make sure that the API is secured. In Android apps hackers can reverse engineer an app to see what APIs it is using. Various authentication mechanisms can be used to secure an API such as OAuth, two way SSL, WS-security and so on. Sometimes you may find that you are not in charge of the API. Well in that case you can at least tell the company about possible pitfalls of not securing the API.
Testing and Tweaking
There are many types of tests that can be performed to check for security for example Static testing to check for source code vulnerabilities and Dynamic testing to check vulnerabilities once the app has been deployed to a live server to installed on the device.
Employing Experts to do the Job
If you feel that the mobile app security is really important and want to exhaustively test your app, you can always hire experts to do it.