Mobile app security: A checklist for app developers

With global app spending reaching $65 billion in the first half of 2022, and the total revenue of the app market enjoying an annual growth rate of 6.58%, the future looks bright for mobile app developers. However, as the global app market has expanded, so too have risks to its security. Therefore, app developers must understand and prepare for security threats to their mobile apps. Read on for a handy checklist on securing your app from early development stages to well after launching.

Mobile app security is the process of protecting mobile applications and digital identities from vulnerabilities that lead to data loss and identity and intellectual property theft, by compromising the intended behavior of the app. Security in mobile applications involves implementing technological means, company best practices, and keeping abreast of the latest threats. In short, app security is how an app is safeguarded from external threats.

These threats can be classified into one of the following groups:

• Platforms: Malware installation, app architecture, and function hooking (intercepting function calls or messages)
• Data storage: App database or file system, cache, Keystore, and configuration files
• Binary: Reverse engineering, key generation algorithms, embedded credentials, and code vulnerabilities

Later on, we’ll review methods on how to secure an app, covering many of the above threats.

If your app is targeted and there is a customer data breach, a compromise to customer accounts, or your app is rendered non-functional, your company’s reputation is at risk. Customers may view your app as unreliable and leave for a competitor who promises more robust app security, causing substantial revenue loss.

According to a report from Osterman Research, two out of five organizations have weak mobile app and API security processes for both third-party and in-house development approaches. This alarming statistic reveals that many apps are unprepared for external security threats.

In fact, a recent analysis of the top 400 mobile finance-related apps showed that 70% failed basic privacy and security standards. In the table below, you can see the percentage of fintech, healthcare, retail, and lifestyle apps by platform and the percentage by which each lack data and code protection, and how many use vulnerable encryption algorithms.

Did you know that 43% of companies overlook app security in a rush to launch their apps?

If you’re in the beginning stages of developing your app, take into consideration the following tips to ensure your app is safeguarded from the beginning.

1. Protect your source code

   Above all else, encrypt your app’s source code end-to-end. Many developers today use open source code because of its cost-effectiveness. However, open source code can prove dangerous if not properly protected as hackers can spot and exploit errors, like building clone apps using reverse engineering.

   If your app does utilize open source code, make sure that it doesn't rely on keys, secret algorithms, or any other sensitive information that can be easily compromised once the code is public.

   If your app is closed source, take steps to further protect your code. If you have the resources when initially creating your app, you can hire app developers to build a copyright source code for your app. Additionally, consider implementing a solid layer of obfuscation, which will conceal your app’s code from hackers.

2. Utilize high-level authentication

   Reduce the risk of unauthorized access and password hacks with strong authentication. Design your app so that it only accepts strong passwords for user accounts. Additionally, implement multi-factor authentication that doesn’t drastically interfere with the user experience. Consider using a combination of codes via SMS, biometric verification, pins, and security questions when necessary. At Adjust, we help clients fight in-app fraud with our SDK Signature, which is part of our Fraud Prevention Suite.

3. Don’t expose APIs

   Today, most apps rely on APIs to allow for third-party services, enhancing app functionality. However, often API permission keys can be vulnerable gateways into security systems if hackers have access to your code. Any sensitive API keys should not be hardcoded in the app.

   When thinking about the data exchange that occurs between your app and APIs, it’s critical to ensure that data is encrypted during transit. This can be done via symmetric encryption with a certificate or set session key or via asymmetric encryption to safeguard the exchange of session keys. Additionally, consider implementing Transport Layer Security (TSL) or Secure Sockets Layer (SSL). These cryptographic protocols authenticate the data transfer between systems, preventing unauthorized access.

4. Watch out for cached data

   To boost an app’s performance, mobile devices usually cache data. However, mobile devices and other apps can be easy for attackers to breach. The hackers can then decrypt the cached data from your app to steal user data. In addition to requiring a password to log into the app, set up an automated process that will wipe the cached data from the app.

5. Ensure data storage is secure

   Where your app’s data is stored and processed will factor into your app’s ability to comply with user data regulations and overall security. When possible, best practice dictates that confidential user data should never be stored on the user’s mobile device or your servers.

   For example, if you have an e-commerce app, your app is likely storing user data like shopping preferences, credentials, and payment information —i.e., sensitive data. The latter two data types must be protected, and this can be done if you encrypt the data.

   If you’re storing data on a database, make sure to back the database up, encrypted, on a regular basis. Doing so will be a safeguard in the event a hacker does breach your database and wipes it out.

As external threats constantly evolve, ensuring your app’s security involves frequent mobile application security testing. Keep in mind the points below as you set up a plan for your app security testing.

Review the security of your code

You can check your code for threats using automated software or manually testing it. While automated software is faster, it can still miss some irregularities. We recommend a combination of automated and manual code checking.

Invest in Runtime Application Self-Protection (RASP)

Once your app is deployed and running, consider utilizing Runtime Application Self-Protection technology. RASP tools are installed or linked to apps and act in the background of the app during runtime to uncover and stop malicious code as soon as possible. As RASP tools run in the background, the app’s design isn’t disturbed

Audit your app’s architecture

Analyze your app for weaknesses that could invite exploits, and review user authorization and security settings to see if anything should be updated.

Model a threat

According to mobile app protection company, Approove, there are five attack surfaces that have the potential to be tampered with:

1. User credentials
2. App Integrity
3. Device integrity
4. API Channel Integrity
5. API and Service Vulnerabilities

After inspecting the integrity of your app, you know its flaws and can identify to which of the above five attack surfaces they belong. Then, you can simulate all possible threats uncovered to develop a strategy that takes care of these flaws and removes or lessens the opportunity for these threats to occur.

Adjust is the only mobile measurement partner that lets clients define the location of where their data is stored and processed. We own our own servers, so we can guarantee that data always goes directly to our data residency server. This enables you to provide transparency to your users and gain flexibility for your app business over things like tax options and processing speed. To learn more, check out the Adjust Data Protection Solutions.