The state of mobile app security

Santhosh Adiga U
3 min readOct 16, 2021

--

Mobile app security tip #1: build a secure API:

It’s the lifeblood that underpins the core functions of your app and how data is stored. APIs are also the framework used for accessing backend services and various other applications for users, all of which entail authentication and authorization. If you do most of the integration on the backend, you’re better off you can control what gets sent to the phone, and it also helps with cross-platform development and application performance.

Mobile app security tip #2: secure the code:

Even before a vulnerability is exploited, attackers can obtain a public copy of an application and reverse engineer it. Popular applications are repackaged into “rogue apps” containing malicious code and are posted on third-party app stores to lure and trick unsuspecting users to install them and compromise their devices.

Enterprises should look for tools to aid their developers to detect and close security vulnerabilities and then harden their applications against reverse engineering and tampering.

Mobile app security tip #3: secure the transiting data:

Data in motion is any data that is being transmitted to or from a mobile device across a wireless network. If a username or password is transmitted to a server in plain text, then there is almost no reason to have the password since reading plain text off of a wireless network is very easy to do. Therefore, encrypting data being transferred is really the only option. Most secure mobile applications use Security Socket Layer (SSL) as the encryption method. SSL is a point-to-point secure channel; it does not secure the data end to end.

Enterprises can employ other means of securing their data transfer such as Virtual Private Networks (VPNs) to Mobile Application Management Systems (MAM).

Mobile app security tip #4: secure the server:

More and more mobile applications are storing all or part of their data on servers either in a Mobile Backend as a Service (MBaaS) or in private data centers. As long as the servers are secure, this is a safer way of storing protected data.

Security Socket Layer (SSL) protects the data in transit, but once the data gets to the server, it has to be encrypted again for storage. As with data stored on a mobile device, securing the private key is a concern that needs to be addressed. A universal private key, controlled by the data service, can encrypt the data. The security hole with this method is if the one and only private key gets discovered, hackers can gain access to everyone’s data.

A more preferred approach would be to create a unique private key for each user of the application. This will limit the exposure if a single private key gets discovered.

--

--

Santhosh Adiga U
Santhosh Adiga U

Written by Santhosh Adiga U

Founder of Anakramy ., dedicated to creating innovative AI-driven cybersecurity solutions.

No responses yet