Android and iOS Security Best Practices

By -
Android and iOS Security Best Practices                                                                                              
Mobile operating systems have moved on from simply being smartphone-exclusive OS to a platform for music players and tablets as well. This makes them much more available for a wider user group. Operating systems such as iOS and Android are responsible for the maintenance of various images, videos, apps, documents, music, messages, schedules, calls and other personal information for improving efficiency. Due to this reason, mobile OS developers have created built-in options for configuration in order to protect the operating systems from various security loopholes. However, few of these actually begin to work from the time mobile devices are unboxed. Find out about some of the best practices for Android and iOS for preventing or mitigating loss of confidentiality, loss of data or unauthorized access.
Using native SSL libraries
A few 3rd party libraries come with HeartBleed and a number of other flaws, which can easily be exploited for bigger attacks. This is exactly the reason why native SSL libraries have to be used on the operating systems.
Using mutual SSL authentication
In order to get server connections validated, you should make use of mutual SSL authentication in all the mobile apps that you use. This will make sure that your apps only contacts the desired server and it is not redirected to some other malicious server.
Encrypt the app communication
You need to encrypt the communication data of your apps. It is important not to turn off the encryption in iOS9.
Pin the certificates
For mutual authentication and encrypted communications, you should pin the certificates. Do not depend on root certificates that are stored in the operating system, given that there can be addition of new roots – which can result in attacks from malicious users in the middle.
Avoid unreliable library downloads
You should avoid the use of precompiled 3rd party libraries, as you cannot be sure about what they can actually do. The 3rd party libraries could be graphics libraries, ad libraries or even encryption libraries. Never download libraries from any unreliable party.
Rely on inter-app communication                                                                                                          
You should just activate inter-app communication for the mobile apps you know to be safe, and allow apps to communicate with them. Make sure that all the inter-app communication is properly encrypted.
Never store unencrypted files
Avoid storing any file that is not encrypted. Make sure that all the encryption libraries are utilized completely. Never store any data in your app that can be personally identified, and which happens to be non-essential in form. Use proper encryption for the data that you store on the phone as well as the information that is in transit, with the help of VPN and other secure technologies. Another best practice for mobile security is to disallow the transmission of personal or sensitive data over a public hotspot of Wi-Fi, particularly one that is unsecured, without the use of a VPN or some other safe transmission option.
Avoid using APNS messages for confidential data
Avoid using APNS or SMS messages to send out sensitive data, which can easily be read by any individual having full access to your mobile phone – even when your device happens to be locked.
Use your app with care
Never store any password on your app. Take a long and hard look at any plug-in being used by your app. Such types of plug-ins frequently act as transmitters that introduce security flaws into mobile apps. While using iOS apps, you need to store credentials and secrets in the KeyChain. This can leverage the built-in security of the KeyChain. Never simply copy a list of permissions from any generic app. Declare only the permissions that you really need and utilize in the app.
Use codes from reliable vendors
You should use development tools and codes only from reliable vendors, and download core development tools and libraries from the actual download websites of Google or Apple only, such as Android store or iTunes app store. Never download them from any unofficial website. Otherwise, you may end up getting your app being infected by XcodeGhost or some other malware.
Use PIE during app compilation
When you are compiling the app, enable PIE (Position Independent Execution). This is essential for reducing the risks of malicious tools and apps accessing recognized memory locations in your mobile apps.
Embed API keys with care                                                                                                                      
Keep in mind that API can be utilized for accessing accounts or sensitive data on cloud services. Naturally, you should be extremely choosing when your embed API keys in your mobile app. One can copy API keys from any rooted or Jailbroken mobile phone. Make sure that all the access controls are imposed by the entry of some user credential or a password that is typed in by the user. This feature is not available in every app.
Check your app before release
Financial services apps need to add codes to check for rooted or Jailbroken phones. They should not let any transactions happen from any compromised mobile phone. Before the release of your app, you need to use Proofpoint Mobile Defense tools to evaluate your app and validate the behavior that it exhibits. Get the code reviewed by external parties, after your own team members have checked them out.
Have a privacy policy
Get a proper privacy policy in place, which describes accurately what your servers and app do with all the data. Have an in-house legal counsel review your privacy policy related to the app. The privacy policy should be published along with your app and related to your entry in the app store.
Use security patches to update your mobile operating system

 Have the mobile OS and all its apps completely up-to-date. OS for mobile devices such as Android or iOS provide users with regular updates, in order to resolve all the security flaws and various other threats related to mobile security. These also offer extra performance features and options as well as additional security to users. You have to turn automatic updates on for your mobile devices or manually update your apps and phones from time to time.


Other blogs by the author
55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 

Comments

Post a Comment

Popular posts from this blog

Internet of Things - MindMap

By -
Image
Internet of Things Definition Physical objects or "Things" as we call them, embedded with smart sensors with ability to be connected to the Internet becomes "Internet of Things" or IoT. The advantages of IoT is remote management of Physical Objects ("things") from anywhere. Below is a mindmap that gives a high level overview of Internet of Things. Article on Internet of Things submitted by: Praveen Kumar President & Co-Founder Nanite Solutions http://www.nanitesol.com Other blogs by the author 55   54   53   52   51   50   49   48   47   46   45   44   43   42   41   40   39   38   37   36   35   34   33   32   31   30   29   28   27   26   25   24   23   22   21   20   19   18   17   16   15   14   13   12   11   10   09   08   07   06   05   04   03   02   01  
Read more

Challenges of a CIO/CTO

By -
Image
Quite a number of companies around the world, especially IT organizations have positions of Chief Information Officer (CIO) and Chief Technology Officer (CTO).  Although there is a huge difference in their responsibilities, for most organizations, these officers work simultaneously to achieve the IT goals of the business. The two officers are responsible for creating dynamic technological products through different skill sets and ensuring those products acceptance by both the internal and external users. Due to the similarities in their responsibilities, most small companies do not see the essence of having both positions and thus they prefer an officer serving both roles.   Source:www.martincomputersolutions.com Who is a Chief Information Officer (CIO)?                                          A CIO is an officer whose basic focus is on improving and enhancing the efficiency and delivery of internal activities or processes for providing quality services to the client
Read more

Mobile App Security: Know the rules now!

By -
Image
Mobile App Security: Know the rules now! According to a Veracode study, there are over 2,400 insecure apps on the mobile devices of employees in average global companies. This goes on to show how important it is to make apps secure, and prevent the entry of hackers into sensitive data and corporate network system. If you are concerned about improving mobile app security, here are some of the best practices that can assist you in ensuring full security. Use Application layer security At the application layer, you should implement various security measures. It rests upon the manufacturers of devices to create stronger security settings. This will allow users to adjust security settings according to their preferences and needs. Enterprise managers and users have to make sure that the features are properly used. Use Behavioral analysis tools It is not enough to use just anti-malware programs. You should also use Behavioral analysis tools for proper detection and removal. Su
Read more