Developers Beware: Poor Coding Practices Results in Poor Mobile App Security
Enterprise organizations interested in developing their own mobile apps would benefit from reading HP Security Research’s new Cyber Risk Report 2015. The report presents an in-depth look at enterprise IT security overall, and like other security reports, it mobile app security and the threat of mobile malware.
But what is particularly chilling is the report’s findings on security vulnerabilities that result from poor coding practices. It’s worth quoting HP’s summary of poor mobile app security in full:
“The primary causes of commonly exploited software vulnerabilities are consistently [sic] defects, bugs, and logic flaws. Security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. Much has been written to guide software developers on how to integrate secure coding best practices into their daily development work. Despite all of this knowledge, we continue to see old and new vulnerabilities in software that attackers swiftly exploit. It may be challenging, but it is long past the time that software development should be synonymous with secure software development. While it may never be possible to eliminate all code defects, a properly implemented secure development process can lessen the impact and frequency of such bugs.”
How do these programming errors play out in the world of mobile app security?
Big Threats From Bad Coding Habits
The report’s ranking of the top five mobile vulnerabilities stemming from poor coding practices are:
- Privacy violation: 74%
- Insecure storage: 71%
- Insecure transport: 66%
- Insecure deployment: 62%
- Poor logging practice: 47%
These results highlight poor mobile app security as well as violate broader corporate security policies and best practices. More specifically – and more troubling – poor mobile app security insufficiently protects enterprise data in storage and in transit. Should enterprise data, which often contains sensitive information like intellectual property, financial information, and personally identifiable information (PII), become compromised and accessed by unauthorized users, it will surely damage the offending company’s brand equity, destroy customer loyalty and draw a compliance violation.
So, what are the implications of poor coding practices and insufficient mobile app security? On closer examination of mobile apps, the following common problems were reported:
- Insecure storage due to insufficient data protection: 54%
- Poor logging practice: 47%
- Weak cryptographic hash: 43%
- Missing jailbreak detection: 37%
- Know mobile attack surface fingerprint: 34%
The report also found that mobile apps often improperly used geolocation, potentially disclosing confidential data about locations, and screen caching.
What Are Secure Coding Standards in Mobile Apps?
Secure coding standards in mobile apps refer to best practices and guidelines for developing mobile applications that are secure and protected against malicious attacks. These standards help ensure that an app is safe to use and prevents hackers from gaining access to the user’s personal data. Examples of secure coding standards include input validation, encryption, authentication and authorization, data storage, and the use of secure communication protocols.
5 Measures to Include in Your Secure Coding Best Practices Checklist
Secure coding is a vital part of achieving good software security. By following secure coding best practices, developers can prevent potential vulnerabilities and cyberattacks on their code. All developers should use a secure coding best practices checklist to ensure their code is as secure as possible. Here are five measures to include in your secure coding best practices checklist:
- Use standard security libraries: Use the most secure versions of standard security libraries available to ensure that the code is secure and meets industry-accepted standards.
- Adopt secure coding practices: Secure coding practices include using modern language features such as type-safe languages, making sure robust error handling and logging is used, and sanitizing input to avoid attacks.
- Use automated source code analysis: Automated source code analysis can help detect errors and security flaws in code.
- Perform vulnerability scans: Periodically perform vulnerability scans on the code to identify potential vulnerabilities.
- Encrypt all sensitive data: All sensitive data should be encrypted and stored securely in order to prevent unauthorized access.
The Importance of Secure Mobile Apps
Mobile computing is going to be increasingly important in the years ahead. It’s already the preferred medium for many employees, and in the next five years, we can expect even more work to involve mobile apps.
To take advantage of this mobile revolution and further increase productivity, many enterprises are now developing their own mobile apps in-house. This is laudable but difficult work. Mobile operating systems like Android are still relatively young. Legacy data systems are old, diverse, and scattered across the enterprise.
Marrying the latest in secure mobile file sharing and simple integration with diverse legacy systems, such as Enterprise Content Management (ECM) systems including Microsoft SharePoint and EMC Documentum, is no easy task. But it’s a task that, if done well, promises to yield tremendous benefits in terms of productivity, efficiency, and operational agility.
As this report indicates, however, these benefits can be quickly undermined by data breaches resulting from poor mobile app security. Enterprise development teams should therefore heed the warnings of this report and strive for mobile app security when developing functional mobile apps. By designing applications that enhance productivity without compromising mobile app security, developers will avoid these common pitfalls.
Frequently Asked Questions
Cybersecurity Risk Management is a strategic approach used by organizations to identify, assess, and prioritize potential threats to their digital assets, such as hardware, systems, customer data, and intellectual property. It involves conducting a risk assessment to identify the most significant threats and creating a plan to address them, which may include preventive measures like firewalls and antivirus software. This process also requires regular monitoring and updating to account for new threats and organizational changes. The ultimate goal of Cybersecurity Risk Management is to safeguard the organization's information assets, reputation, and legal standing, making it a crucial component of any organization's overall risk management strategy.
The key components of a Cybersecurity Risk Management program include risk identification, risk assessment, risk mitigation, and continuous monitoring. It also involves developing a cybersecurity policy, implementing security controls, and conducting regular audits and reviews.
Organizations can mitigate cybersecurity risks through several strategies. These include implementing strong access control measures like robust passwords and multi-factor authentication, regularly updating and patching systems to fix known vulnerabilities, and conducting employee training to recognize potential threats. The use of security software, such as antivirus and anti-malware programs, can help detect and eliminate threats, while regular data backups can mitigate damage from data breaches or ransomware attacks. Having an incident response plan can minimize damage during a cybersecurity incident, and regular risk assessments can identify and address potential vulnerabilities. Lastly, compliance with industry standards and regulations, such as the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) standards, can further help organizations mitigate cybersecurity risks.
A risk assessment is a crucial part of Cybersecurity Risk Management. It involves identifying potential threats and vulnerabilities, assessing the potential impact and likelihood of these risks, and prioritizing them based on their severity. This helps in developing effective strategies to mitigate these risks.
Continuous monitoring is a vital component of Cybersecurity Risk Management, providing real-time observation and analysis of system components to detect security anomalies. This enables immediate threat detection and response, helping to prevent or minimize damage. It also ensures compliance with cybersecurity standards and regulations, allowing organizations to quickly address any areas of non-compliance. By tracking system performance, continuous monitoring aids in identifying potential vulnerabilities, while the data gathered informs decision-making processes about resource allocation, risk management strategies, and security controls.
Additional Resources