Mobile Application Security - Why You Should Focus On It

In today’s world of ever-growing mobile devices and mobile users, mobile application security has become an absolute necessity. Roughly three in four Americans (76%) have used their primary bank’s mobile app within the past year (2020) for everyday banking tasks, such as viewing statements and account balances, according to the Ipsos-Forbes Advisor U.S. Weekly Consumer Confidence Survey. This rapid growth of mobile applications, both Android and iOS, has led to the emergence of vulnerabilities and threats that must be addressed.

Your role in this huge mobile ecosystem can be very different. It can range from being a casual user who accesses social media apps and games, to being a developer who publishes multiple applications on the App Store, to being the product manager of a particular application in the organization. Some of the best practices that should be followed by these various stakeholders in the mobile ecosystem include the following:

Best Practices for All Users

• Never download applications from a third-party app store. Apple users can use the App Store for this, and Android users should use Google Play.
• Android users should also enable the “Verify Apps” feature and disable the “unknown sources.”
• Do not visit or provide your details on a website you don’t trust, as a single click might lead to the installation of malware or an annoying notification in your calendar.
• Update your apps and OS of the mobile as soon as they are released, since these updates might contain patches for security vulnerabilities.
• Do not use unknown public networks (like coffee shops) to surf through important banking websites.
• Lock your phone with a passcode/fingerprint/face ID depending upon the phone’s capabilities.
• Know how to remotely wipe your phone in case the device is ever lost or stolen and regularly take backups.
• Have emergency contacts ready on your phone - they even work when your phone is locked.
• Do not provide permissions to services that are not required for an application to operate. For example, the calculator app will work fine without permission to access your gallery. If you observe suspicious behavior, uninstall the application immediately.

Best Practices for Organizational Users

As a developer, you must get your application tested for any security vulnerabilities. To thoroughly check the defense perimeters of the mobile applications, penetration testing is one of the best ways to go about it. If you are new and want to learn about mobile security testing, OWASP Mobile Security Testing Guide is the best place to start.

Proper penetration testing should be done by internal security teams or by outside third parties to ensure an independent, impartial review.  Penetration testing reports should include executive summaries that provide an overview of the number and severity of vulnerabilities. A technical report by a security team helps developers gain knowledge about the security gaps in their applications and the methods to fix them.

Penetration testing should be performed before the launch of the application, as well as after any new feature is introduced in that application. Also, having a bug bounty program can help you discover any new vulnerabilities that may have been missed.

How ERMProtect Can Help

As an Information Security firm in business since 1998, we are experts at all types of penetration testing,  payment card compliance, IT security, data protection, and digital forensics. We leverage almost 30 years of experience to secure your data, protect your business and manage costs and risk. For a free consultation, email Silka Gonzalez at sgonzalez@ermrprotect.com or call us at 1-800-259-9660 or 305-447-6750.