App DevelopmentQA and Testing

Three questions to ask when performing security testing on your app

Increased adoption and comfort of mobile lifestyles means more and more day-to-day tasks are being performed on devices that fit in our hands; our phones and tablets allow us to do things such as banking, shopping, and even working remotely, from just about anywhere. This continued shift of our lives onto our phones require robust security measures to be implemented in the apps we make and use, especially considering the variety of wifi and data networks we perform these tasks on as we move throughout the day. You should assume that nefarious players can see the data your app transmits as well as access the data you store. Depending on the nature of your apps, any number of security levels will be necessary to defend against risks.

Security starts in the app

Because there’s a limit to the trust we can put in the networks we use, the burden of security inevitably falls on the apps we build. This is why it’s so vital to employ rigorous security testing in all areas of app development.

Security testing requires some knowledge of the full development process, including client-server communications, software auditing, and system architecture. You’ll need to test for security vulnerabilities throughout the entire architecture of your app before safely shipping code.

Here’s a short list of questions to consider when auditing or testing the quality of security before moving forward with shipping your app to the store or seeking out experts in this field:

1. Is encryption necessary?

Encryption can play an important role in securing user data, so check that a form of it is in place at the database level.

Depending on the amount and nature of user information and data your app will handle, you’ll want to evaluate and analyze what level of encryption you need for applicable threats, and if there are alternatives to store sensitive data.

Sensitive data such as passwords should generally not be saved on devices storage anywhere. Instead, your backend should utilize a token scheme to give the user back an authentication token upon logging in. If for some reason there is no other choice but to save the user’s credentials, then it is important that those credentials are encrypted on disk.

2. How strong are your authorization and authentication measures?

You may want to consider when, how and where in the UX users are being asked to authenticate, as well as if passwords are being tracked or stored in the system anywhere. Additional variables to consider are if validation is being performed and if all the various user-side entry points in the app are being validated as well.

Implementing and enforcing strong password policies with minimum length and complexity requirements plays a critical part in securing users’ sensitive data. It’s also important to implement a strong, secure recovery mechanism for users when they forget their username or password information. Two-factor authentication and security questions can add extra layers of security here should an attacker already have compromised a user’s email address.

Data can leak into files through user interface or app backups—consider things such as passwords, tokens or credit card details stored by accident in other areas of your device. What data is being collected and passively stored by caching? Is it encrypted? Sensitive data such as passwords can sometimes be stored on the device - is there something in place to prevent that?

3. How reliable and consistent is your backend system?

Hackers can gain access to the backend systems and pose a serious threat to users by utilizing a proxy tool. Just like the architecture of your app, the backend should go through rigorous testing as well.

As with all testing, it’s always a good idea to try to break things yourself before someone else does. Deliberately probe your app’s backend for weaknesses and security bugs that could pose a potential risk to your organization and users.

Mobile app developers can protect against man-in-the-middle attacks by implementing certificate pinning, which also ensures that none of your app’s network data is compromised, even if another user has a malicious root certificate installed on their device. By spoofing a man-in-the-middle attack, you’ll be able to intercept and modify the requests and responses exchanged between an app and backend services in order to inspect and analyze the transferred data.

For further reading regarding mobile security, we recommend the OWASP website, a definitive open-source software security community that keeps in stride with current industry standards for mobile app security.

If you’re curious about how WillowTree handles security in the work we produce with clients, read more here.

Moving from Monolith to Microservices Architecture

When a client decides to move from a monolith platform to microservice architecture,...

Read the article