This guide on secure mobile applications shows top security vulnerabilities, OWASP’s best practices for building/testing iOS and Android applications, and more.
Join the DZone community and get the full member experience.
This is an article from DZone’s 2022 Enterprise Application Security Trend Report.
For more:
Building secure mobile applications is a difficult process, especially in the cloud. We must consider that mobile platforms, like iOS and Android, have completely different architectures and quality guidelines. Also, we need to take care of our cloud architecture on the back end. In this article, we will have a look at the top six security vulnerabilities, OWASP’s best practices for building/testing iOS and Android applications, and guidelines for iOS and Android. Last but not least, we will explore an example of DevSecOps for mobile applications.
To understand the importance of security for mobile apps, let’s first look at three of the most prominent hacks of mobile apps that led to huge financial and marketing issues for the affected companies.
In the cyber attack on the ParkMobile app in 2021, hackers managed to steal 21 million user accounts. According to Security7, hackers managed to steal telephone numbers, license plate numbers, and email addresses. It seems like all the unencrypted data were stolen passwords. However, credit cards were encrypted, so hackers didn’t manage to encrypt data as the keys weren’t stolen.
Juspay, a payment operator that provides services for Uber, Amazon, Swiggy, and Flipkart, was hacked through their mobile app in August 2020. The hacker stole 35 million records, including credit card data, fingerprints, and masked card data.
In 2020, Walgreens‘ mobile app had integrated malware that watched personal messages and info. It resulted in a lot of user data being compromised, including names, prescription numbers, and addresses.
Before we jump into iOS and Android guidelines and OWASP Testing Guides, let’s look at the top six OWASP vulnerability types:
In my opinion, this is a list of the most important vulnerability types. However, OWASP provides a list of 10, and it also provides standards and testing guides. We will cover these in the next section.
OWASP mobile application security fundamentals consist of several sources and contain OWASP Mobile AppSecurity Verification Standard (MASVS), OWASP Mobile Application Security Testing Guide (MASTG), and the Mobile Security Checklist. Below in Figure 1, you will see the fundamentals of mobile application security in detail:
Figure 1: OWASP mobile app security fundamentals
Let’s have a more detailed look at the mobile app checklist.
The Mobile Application Security Checklist is a part of the MASTG. It is a set of rules/checks that a dev team should include when securing a mobile app.
