Over the past decade, we have observed a massive adoption of technology in all sectors of our lives. Mobile technology has greatly influenced our lives, and over the decade, significant advances have been towards its advancement. Mobile applications popularly known as apps are types of applications designed to run on mobile devices.
Apps enable the mobile users to get the same service or even better as those available in the PCs. Apps were first offered to improve productivity and the retrieval of information from online platforms such as email, weather channels, and stock market sites (Dwivedi, Clark, & Thiel, 2015). Eventually, their usage has spread to mobile gaming, GPS, automation, mobile banking, ticketing and social usage. The usage of mobile applications has significantly been adopted with the emergence of smartphones and has seen usage in sectors such as banking, health, and e-commerce sites (Basavala, Kumar, & Agarrwal, 2013).
This paper will outline the inherent risks brought about by the usage of mobile applications by organizations and individuals. Finally, we will look into ways in which these risks are mitigated through policy change, use of security software and technical controls. These mitigation techniques all makeup best practices, which are then applied at various levels of app development such as design, source code development and the deployment of such applications.
A mobile application often runs on smartphones, tablets, and mobile devices and are usually available in a distributed platform or stores operated by the owner of the platform such as Google Play store, Apple app store, Windows Phone Store and BlackBerry App world.
With the increase in the capabilities of mobile devices and the massive consumer adoption, mobile applications have become integral in people’s lives. With the high usage of such applications in areas such as banking and finance, attackers have found a new platform in which to exploit and target a large population. The nature of deployment of such applications makes it possible for an attacker to use a standard vector of attack to affect millions of device. This is because mobile applications are usually in common platforms such as iOS, Android, Windows, and BlackBerry (Basavala et al., 2013).
For example, Android devices have adopted an “open application” model in application development which has led to many apps which have hidden functionality which can be used as attack vectors with devastating results. Many companies have deployed mobile applications to be used in their operations and service intake without further interaction save from the app. Companies such as Uber offer their services entirely in an app and have reaped the rewards and benefits by use of applications.
Unfortunately, with the benefits and flexibility of mobile applications come insecurities and complexities, which bring about fraud and security risks. While most platforms have attempted to build secure platforms to deploy mobile applications, such apps are often designed and coded using questionable and insecure practices leading to insecure applications (Basavala et al., 2013). Application security is often an afterthought during application development; the quid pro quo often lies in delivering functional applications within the given timelines at the expense of app security.
Results
Basavala et al., (2013) found risks in every layer of mobile devices such as mobile network, hardware level, operating system layer and the application layer. Such layers often lead to different levels of vulnerabilities in the applications. In the mobile network level, data sent to and from applications can be intercepted and manipulated by an attacker. In the baseband layer referred to as the hardware level, an attacker can use the buffer overflow attack and root the device which enables him to control the mobile device and all the applications fully. For the operating system, the kernel code often presents vulnerabilities which can be used to attack applications (Cifuentes, Beltrán, & Ramírez, 2015).
Jailbreaking, which is the removal of manufacturer restraints usually, exploits the kernel code vulnerabilities. The application layer is often the most exploited level when attacking mobile applications. Malicious code can be injected in various applications and is used by an attacker to steal user data and initiate transactions. This paper discusses some of the common vulnerabilities that are present in mobile applications irrespective of the platform in which the application is sitting.
Insecure storage of data in client-side is a security risk, which is concerned with personal identifiable information (PII), and other sensitive data stored in the mobile device of the user. Developers must ensure that only data, which is critical for the application use, is stored in the physical device (Dhillon, 2017). Such data must be protected through encryption and should not lie in plain text. Platforms like iOS already provide encryption to data that lies on the devices through methods like NSData and NSFileManager, which protect the mobile application from the file system, and other protection attributes.
Insufficient protection of data during transmit is a risk which arises when data passes through the transport layer. After the PII has been secured, the next vulnerability can occur when the application is transmitting data to the app server. Encryption must be used in this communication channel. SSL certificates are used to establish an encrypted link between the app server and the application. Data should be sent in a manner that guarantees that information is not changed as it travels through the channels.
Data leakage is a common risk in mobile application which can lead to the loss of user information such as social security number, emails, usernames, and passwords. Applications developers should ensure that user data is protected on their servers. Previously mentioned data protection methods such as encryption can be used to protect user data. In addition, the design of the mobile application should have data protection in mind and not as an afterthought (Basavala et al., 2013). With the enactment of policies such as the GDPR, data protection is now an area which developers should take into consideration in the app development cycle.
Improper authentication between the client and the application server usually is a risk that can lead to vulnerable applications. By design, the authentication mechanisms between mobile applications and the server are often done on the server side. Secure authentication is necessary to identify a mobile application user to prevent session hijacking uniquely.
Mobile applications should request permissions only when necessary. There are cases of applications such as a basic calculator requesting for critical information such as GPS, contact access, call log access and messaging. Is this an implementation of least privilege policy? Applications should be practical with the information they request from the client device to prevent exploitation of common vulnerabilities which can be used to exploit the app. Additionally, the app server should not allow a user with fewer privileges to access other parts of the application, especially in shared applications. Vertical privilege escalations can be used in a case of an application such as Uber where a user can access the business side of the application and award themselves unlimited trips or clear charges on their part (Dhillon, 2017). Horizontal escalation allows the users to bypass any authorizations which may be present in the app and the case of a mobile banking application; it can allow a user to view the transactions and accounting details of another user.
Vulnerabilities such as injections can lead to various risks depending on how they are exploited. SQL injection is used to attack mobile applications that use SQLite database to store data in the client’s device. Furthermore, cross site scripting (XSS) is another attack that results from injection vulnerability. The attacks take advantage of the applications which trust user inputs implicitly. XSS allows for remote code execution with devastating consequences. Applications should be implemented such that they can only accept specific data format and length. User input should only accept certain data types and should not accept special characters such as single and double quote (‘, “) and backslash () which are used in SQL injection.
Discussion
Basavala et al., (2013) suggested best practices to counter with the vulnerabilities present in mobile applications. For the general mobile application security, the paper suggested enforcing ADFS 2.0 authentication or multi-factor authentication as an alternative to prevent authentication vulnerabilities. The application server should also utilize SSL and a certificate placed on the user device for authentication. Authentication vulnerabilities are also mitigated by the use of digital certificates which provide a second authentication factor between the mobile application and the app server.
For vulnerabilities arising from authorization, Basavala et al., (2013) suggest the use of different domain oaths to access static resources in the mobile application. This results in cookies not being exchanged unless when needed by the mobile application. Access control policy path must not be used in URls that have special characters in them so as to prevent injection attacks in mobile applications.
For vulnerabilities arising from configuration management, the paper suggests limiting information document model using techniques such as pagination. Similarly, JavaScript must be placed at the bottom of the page. When a mobile application requests multiple requests from the server, such requests are batched. Finally, third-party codes and API’s must never be used by the application when it is sending data over the web.
Sensitive information leakage results due to multiple vulnerabilities. Keeping the data in the device encrypted ensures that personal information is not leaked. For an application server that shares data with other devices, for example, a gaming server, the data which has to be shared must be replicated back to the server to assist in recovery in case of leakages. Lastly, HTML extensions needed for mobile application functionality should be standard, and the developer should replace the open sourced ones.
Session management, which can result in session hijacking, is integral in vulnerability mitigation. Since many mobile devices disable cookies due to its configurations, mobile applications should be developed to function without the cookies. For the applications that use cookies, the application server should be configured not to trust the information it receives from the app without proper authentication. The application should use a security token that is stored locally on the mobile device to enable automatic sign-in. For mobile application, like a mail application, which connects to a web site which has encryption but has links which point to the untrusted certificate, agents should act and report to the application similar to when the resource is unavailable. This prevents man-in-the-middle attacks, which exploits this vulnerability.
Input validation vulnerabilities are mitigated by sanitizing input parameters and having blacklist and whitelist characters. Data entered in forms by mobile applications and then passed to the backend for processing must have proper validations. Both the client and the application server along with processing JavaScript separately to remove whitespace should validate input data.
For vulnerabilities that exploit encryption, organizations, which have deployed mobile applications, should use cryptography. For example, strong policy restrictions should be effected to prevent storing manifest on the network used by the organization internally. Also, dynamic resources must be cached by identifying them with a resource identifier which has a hash of the identifier.
Mobile applications must have proper logging and auditing to check for new vulnerabilities that may seek to abuse the application layers. For an application with authentication, invalid access logs should always be monitored to ensure that strong mitigation processes are in place for new vulnerabilities. For such an application, Qian, Luo, Le, & Gu, (2015) recommend that a user should be identified, an event requested described and flagged. Additionally, the IP used to access the mobile application should be logged together with the timestamp.
With the analysis of the paper, it is possible to detect vulnerabilities which can lead to data threats and other risks and come up with mitigating procedures. Developers of mobile applications and organizations which use mobile applications must deploy and develop such apps with security in mind. Vulnerability assessment and penetration testing should be carried out on mobile applications to find mitigate risks to information security. In addition to such manual and automated tests, emulators should be used to test if the mobile applications are vulnerable. Mobile applications deal with sensitive data and vulnerabilities should be patched in a timely manner to ensure that information is secure. For large organizations that use mobile applications as a service for example banks, outsourcing is an option to ensure the mobile applications are secure.
References
Basavala, S. R., Kumar, N., & Agarrwal, A. (2013). Mobile Applications -Vulnerability Assessment Through the Static and Dynamic Analysis, 2013(Cac2s).
Cifuentes, Y., Beltrán, L., & Ramírez, L. (2015). Analysis of Security Vulnerabilities for Mobile Health Applications. International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering, 9(9), 999–1004.
Dhillon, G. S. (2017). Vulnerabilities & Attacks in Mobile Adhoc Networks ( MANET ). International Journal of Advanced Research in Computer Science, 8(4), 2015–2017.
Dwivedi, H., Clark, C., & Thiel, D. (2015). Mobile Application Security.
Qian, C., Luo, X., Le, Y., & Gu, G. (2015). VulHunter: Toward discovering vulnerabilities in android applications. IEEE Micro, 35(1), 44–53.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download