Android and iOS Security Best Practices

Android and iOS Security Best Practices                                                                                              


Mobile operating systems have moved on from simply being smartphone-exclusive OS to a platform for music players and tablets as well. This makes them much more available for a wider user group. Operating systems such as iOS and Android are responsible for the maintenance of various images, videos, apps, documents, music, messages, schedules, calls and other personal information for improving efficiency. Due to this reason, mobile OS developers have created built-in options for configuration in order to protect the operating systems from various security loopholes. However, few of these actually begin to work from the time mobile devices are unboxed. Find out about some of the best practices for Android and iOS for preventing or mitigating loss of confidentiality, loss of data or unauthorized access.
Using native SSL libraries
A few 3rd party libraries come with HeartBleed and a number of other flaws, which can easily be exploited for bigger attacks. This is exactly the reason why native SSL libraries have to be used on the operating systems.
Using mutual SSL authentication
In order to get server connections validated, you should make use of mutual SSL authentication in all the mobile apps that you use. This will make sure that your apps only contacts the desired server and it is not redirected to some other malicious server.
Encrypt the app communication
You need to encrypt the communication data of your apps. It is important not to turn off the encryption in iOS9.
Pin the certificates
For mutual authentication and encrypted communications, you should pin the certificates. Do not depend on root certificates that are stored in the operating system, given that there can be addition of new roots – which can result in attacks from malicious users in the middle.
Avoid unreliable library downloads
You should avoid the use of precompiled 3rd party libraries, as you cannot be sure about what they can actually do. The 3rd party libraries could be graphics libraries, ad libraries or even encryption libraries. Never download libraries from any unreliable party.
Rely on inter-app communication                                                                                                          


You should just activate inter-app communication for the mobile apps you know to be safe, and allow apps to communicate with them. Make sure that all the inter-app communication is properly encrypted.
Never store unencrypted files
Avoid storing any file that is not encrypted. Make sure that all the encryption libraries are utilized completely. Never store any data in your app that can be personally identified, and which happens to be non-essential in form. Use proper encryption for the data that you store on the phone as well as the information that is in transit, with the help of VPN and other secure technologies. Another best practice for mobile security is to disallow the transmission of personal or sensitive data over a public hotspot of Wi-Fi, particularly one that is unsecured, without the use of a VPN or some other safe transmission option.
Avoid using APNS messages for confidential data
Avoid using APNS or SMS messages to send out sensitive data, which can easily be read by any individual having full access to your mobile phone – even when your device happens to be locked.
Use your app with care
Never store any password on your app. Take a long and hard look at any plug-in being used by your app. Such types of plug-ins frequently act as transmitters that introduce security flaws into mobile apps. While using iOS apps, you need to store credentials and secrets in the KeyChain. This can leverage the built-in security of the KeyChain. Never simply copy a list of permissions from any generic app. Declare only the permissions that you really need and utilize in the app.
Use codes from reliable vendors
You should use development tools and codes only from reliable vendors, and download core development tools and libraries from the actual download websites of Google or Apple only, such as Android store or iTunes app store. Never download them from any unofficial website. Otherwise, you may end up getting your app being infected by XcodeGhost or some other malware.
Use PIE during app compilation
When you are compiling the app, enable PIE (Position Independent Execution). This is essential for reducing the risks of malicious tools and apps accessing recognized memory locations in your mobile apps.
Embed API keys with care                                                                                                                      


Keep in mind that API can be utilized for accessing accounts or sensitive data on cloud services. Naturally, you should be extremely choosing when your embed API keys in your mobile app. One can copy API keys from any rooted or Jailbroken mobile phone. Make sure that all the access controls are imposed by the entry of some user credential or a password that is typed in by the user. This feature is not available in every app.
Check your app before release
Financial services apps need to add codes to check for rooted or Jailbroken phones. They should not let any transactions happen from any compromised mobile phone. Before the release of your app, you need to use Proofpoint Mobile Defense tools to evaluate your app and validate the behavior that it exhibits. Get the code reviewed by external parties, after your own team members have checked them out.
Have a privacy policy
Get a proper privacy policy in place, which describes accurately what your servers and app do with all the data. Have an in-house legal counsel review your privacy policy related to the app. The privacy policy should be published along with your app and related to your entry in the app store.
Use security patches to update your mobile operating system

 Have the mobile OS and all its apps completely up-to-date. OS for mobile devices such as Android or iOS provide users with regular updates, in order to resolve all the security flaws and various other threats related to mobile security. These also offer extra performance features and options as well as additional security to users. You have to turn automatic updates on for your mobile devices or manually update your apps and phones from time to time.


Other blogs by the author
55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 

Comments

Popular posts from this blog

Internet of Things - MindMap

Challenges of a CIO/CTO

Mobile App Security: Know the rules now!