The Best Practices to Mitigate Web and Mobile App Security Threats

Each year businesses across most industries spend fortunes on seeking and tackling cybersecurity threats. There's no wonder as it is nearly impossible to create web or mobile apps without flaws. On each side of the matter, both developers and hackers continue improving the approaches serving each separate party's objectives.

These days, data security is one of the most discussed topics among users, companies, organizations, and legislators.

With the advancement of technologies, one thing is certain there's a solution for every emerging flaw.

Namely in this article, you will find out the most effective approaches for the most common security threats both for web and mobile applications.

iOS Apps Security

Under the supervision of Apple, iOS is considered as probably the most secure mobile operating system. Though certain measures are crucial to implementing during the mobile app development stage.

Let's see the list of the protection methods we value the most!

#1. HTTPS Protocol

We at Topdevs use the HTTPS protocol when making requests to ensure secure communication between the app and the server. Here the privacy and data security are guaranteed by Transport Layer Security (TLS) that uses special certificates, private, and public keys encryption for that purpose. This way databases and potentially sensitive information safely transmitted between the application and the server in the form of an unreadable code that can be only decrypted with a special encryption key.

It requires a corresponding certificate on the server. In the application itself, all parameters and data (including those that require protection) are transmitted in the body and headers.

Using HTTPS instead of HTTP is a modern demand intended to prevent revealing major data about users’ identity and behavior.

Mitigated Threats

A man-in-the-middle attack (MITM) is when hackers secretly interfere and modify the communication between the app and the server in a way that the last ones believe they communicate directly with each other. 

Phishing is a way to trick people by offering access to certain data though, in reality, it gathers a user’s personal information. The most common case is collecting login credentials.

#2. Access Token

When performing requests from a mobile app to a server the so-called token is used to authorize a request. It is a unique key, a user identifier returned during authorization. For greater reliability, it can have a finite lifetime, after which it is necessary to re-authenticate on the application side.

Mitigated Threats

It is often used in mobile banking to protect users from fraudulent financial operations by securely connecting the app with third-party APIs.

#3. KeyChain Storage

For secure storage of authorization data (login, password, token), Apple provides KeyChain, internal encrypted storage available for macOS and iOS. 

The only problem here is that the data remains in the storage even when the application is removed from the device. This way, when the application is downloaded/launched back, the user can use the authorization data again. It can be entirely cleared from there only when the phone is completely reset. Though there are certain mechanisms used to eliminate the issue by tracking the first launch.

Read also: Native vs Cross-Platform Development: When Native App Wins

Mitigated Threats

The use of KeyChain storage eliminates the most common threat of leaking the user's authorization credentials which protects other user's personal information.

#4. Custom Encryption

In certain cases, it is better to create custom encryption methods based on existing algorithms (RSA, MD5) in order to encrypt the messages between the parties.

Mitigated Threats

The one-of-a-kind encryption approaches provide an enhanced security level of data as they are compiled for a specific situation and their uniqueness makes it not feasible to be hacked.

#5. Access Before Use

iOS policy requires protecting user data as best as possible, therefore all applications are checked for complying with the security fundamentals before publishing to the AppStore.

One of the principles of its provision is to request permission to obtain certain data immediately before using it. For example, gaining access to the camera only when the user wants to take a photo, and not when the application launches on the phone. In this way, many types of personal information are protected: the list of contacts in the phone book, calendar events, photo/video, music library, camera/microphone, geolocation, etc. The latter can also be shared for access only when the application is running or always.

As an example, we've introduced this approach in the Solocator app which is required to work with lots of photos. Though users have a chance to decide whether they wish to provide access for the app to the camera and photo gallery or not.

Mitigated Threats

These security measures help a user to protect all or any specific personal data from the leak at any given moment by giving or closing permission to access information for each app. 

#6. Files Protection

The file system of the device is by default closed from outside access. But if necessary, you can open only one folder called Documents. It can only be accessed through the system file browser or iTunes for Windows and Finder in macOS.

Mitigated Threats

It adds another layer of security for the stored files on the iOS device preventing any feasibility of personal data leak.

#7. SSL Pinning

These days users leverage countless insecure wireless networks that require app developers to create mobile apps of the highest security standards. Another method serving this purpose is SSL pinning which prevents traffic to be inspected by any other server except for the allocated one. 

Its essence boils down to the fact that during SSL ping, the client checks the certificate received from the server.

Mitigated Threats

This approach alters the man-in-the-middle attack attempts to intrude into the communication between the mobile application and the server. In other words, SSL pinning makes sure the app communicates with the server itself.

Our Example of iOS App Security

Mobile app developers can easily introduce several security measures for one app to provide extra layers of protection. This is exactly what our development team has conducted while developing an iOS app for people wellness - check out the Gerasyanov app case study. 

It was crucial to provide a secure connection with the server so the implementation of an HTTPS protocol was among the first priorities. As the app required the integration with third-party payment processors, we were confident that using the encrypted token will mitigate any risk of fraudulent activities with user finances.

Also, users can store their login credentials in the Keychain storage and decide on giving permission for the app to obtain certain data immediately before use or at any given moment.

Android Apps Security

Having a huge user base, Android-based apps suffer from hacker attacks the most. Therefore, it is vital to implement the most innovative approaches to protect mobile apps from such acts. Check out the most useful methods below!

#1. Source Code Obfuscation

It is a special act with a goal to make it difficult for hackers to decompile/debug and examine the code making it much harder to understand the functionality.

To obfuscate the code app developers can encrypt a part or all code, rename certain parameters with meaningless labels, adding extra unused parts of code.

Mitigated Threats

This approach mainly protects intellectual property, though some other reasons may force to use it, like bypassing licensing or an attempt to prevent vulnerability discovery.

#2. Network Security Configuration

It is a list of trusted domains that the application can access by performing API requests. this way the application will be able to send requests only to the specified domains and subdomains (addresses).

Mitigated Threats

This method helps to ensure that API spoofing is impossible. In other words, attackers won't be able to pretend they are some other trusted users to confuse people and steal information.

#3. Data Encryption

Another way to protect data is by using a database with encryption services. If a piece of confidential information is at risk then it is possible to utilize the encryption of data tables.

Mitigated Threats

Prevents data leaks and helps to store crucially important data securely.

#4. Encrypted File

It is very useful to use encrypted files in order to store confidential information especially when the files are located in the internal storage of the device.

Mitigated Threats

Encrypted files are much harder to be recognized by attackers and less likely to be the subject of an accidental security breach.

Web Apps Security

The business owners should acknowledge the fact that software vulnerabilities and threats in web applications will be present constantly. The most effective approach when mitigating the risks of such threats is to act proactively and defensively. 

Read also: 5 Major Logistics Pain Points & How We Can Solve Them

Let's take a look at the most common actions every company should take during the web development period to mitigate possible pitfalls.

#1. Custom Files Location

We use custom URLs for storing service files and directories. For example, entry points in the administration panel have non-standard URLs. The same with table prefixes in the database.

Mitigated Threats

This approach helps to minimize the number of hacker attacks. As the predictable location of service files is among the top vulnerabilities (for example, the administrator control panel is located at / admin).

#2. OS Commands Avoidance

The best way to prevent the OS command vulnerability is to never call out them from code. Alternatively, it is much safer to implement functionality via more secure APIs.

Mitigated Threats

OS command injection allows an attacker to execute operating system commands which leads to compromising the app, hosting infrastructure, and all its data. For example, a hacker can launch a Trojan virus on a server.

#3. Custom Account Name

Our company usually uses original account names (generic names are only valid in local app development). Special attention is paid to passwords in favor of utilizing complex ones with special characters. It is preferable to insert at least 32 characters.

Mitigated Threats

Brute force attacks involve attempts to guess passwords or other account credentials and forcefully gain access to the app's data. Typical account names (admin, root) or weak passwords help hackers to easily access the administration panel and account owner's personal information. 

#4. Optimal Session Time

We believe it is an important measure to set an optimal period for the user session in each project individually based on the user's activity.

Mitigated Threats

Insufficient session expiration is a pretty common vulnerability when the time limit after which an inactive user is considered logged out is large enough. It gives an attacker a chance to use the old session ID to log in and compromise users' data.

#5. Secured Directory Structure 

In any project, the entry points to the server are indicated in the order. This is usually solved by standard framework tools (Laravel, Express). A list of valid URLs is specified, the rest of the requests return a 404 error. At the same time, the real directory structure on the server has nothing to do with the URLs specified.

Mitigated Threats

Directory indexing is another web vulnerability. If the directory on the server does not have a default page (index.html / home.html / default.htm, etc.), then when a user tries to access it, the server will display a list of subdirectories that anyone can freely navigate using the usual browser.

#6. Password Recovery Validation 

In order to avoid password thefts and any possibility to reset passwords by third-parties, it is viable to implement a solution when only a specific user can recover credentials through a service that only he or she uses - via email or phone.

Mitigated Threats

Weak password recovery validation allowing to modify the password of other users leads to login theft and personal data breach. The described method mitigates the above-mentioned outcomes.

#7. Preventing Buffer Overflow

To mitigate the risk of the system crash or avoid the danger of a cyber-attack it is crucial to not use standard library functions that are not bounds-checked. Additionally, regular testing should be conducted to detect and negotiate possible buffer overflows.

Mitigated Threats

A buffer overflow allows hackers to change the path of program execution by overwriting data in the system memory. This vulnerability is one of the most common and can be eliminated by the above-described measures.

#8. Two-Factor Authentication

To mitigate sensitive information leak we usually implement the two-factor authentication functionality. It allows users to confirm the request for account access or some other acts via codes sent to the user's email address or phone. 

Mitigated Threats

Insufficient authentication is among widespread vulnerabilities that allow an attacker to gain access to server functions and sensitive information without having the corresponding access rights.

#9. Login Attempts Limitation

By default, we set limits on the number of requests per minute from one IP address which eliminates the attacker’s attempts to sort through possible login credentials until there's a match. 

Mitigated Threats

No restrictions on the number of login attempts lead to a situation when the attacker's robot can quickly and efficiently sort out passwords to accounts. And again it causes compromised accounts and data leaks.

Other Security Measures During Web Development

Our company pays maximum attention to the security of the delivered projects. We constantly improve the implemented security measures for each specific case. There is a range of additional cyber threats mitigation approaches. 

Let's check the most significant ones:

• We provide protection against cross-site request forgery (CSRF) attacks by default during app development. This way all data entry forms are guarded.
• Protection against XSS attacks is also implemented using standard tools of the framework and libraries.
• It is a usual practice in our company to write tests that check the input of invalid data.
• Code review aims to improve security.
• Validation of user input is performed on both the frontend and backend parts.
• Most of our servers use HTTPS by default.
• In certain cases, we develop telegram bots to notify the administrator about emergency situations on the server/website.

And the list can be continued endlessly!

Conclusions

Each project security being it a mobile app or a web application development is our top priority. What we strive for is protecting the user's data privacy and pursuing further the objectives of each business from any specific industry.

Remember preventive measures cost much less compared to the harm that a data leak can do. So use these approaches wisely! 

And if you need our tech support, don't hesitate to book a call with our security experts!