Android and iOS Security Best Practices
Android
and iOS Security Best Practices
Mobile operating systems have moved on from simply being
smartphone-exclusive OS to a platform for music players and tablets as well.
This makes them much more available for a wider user group. Operating systems
such as iOS and Android are responsible for the maintenance of various images,
videos, apps, documents, music, messages, schedules, calls and other personal
information for improving efficiency. Due to this reason, mobile OS developers
have created built-in options for configuration in order to protect the
operating systems from various security loopholes. However, few of these
actually begin to work from the time mobile devices are unboxed. Find out about
some of the best practices for Android and iOS for preventing or mitigating
loss of confidentiality, loss of data or unauthorized access.
Using
native SSL libraries
A few 3rd party libraries come with HeartBleed and a
number of other flaws, which can easily be exploited for bigger attacks. This
is exactly the reason why native SSL libraries have to be used on the operating
systems.
Using
mutual SSL authentication
In order to get server connections validated, you should make use
of mutual SSL authentication in all the mobile apps that you use. This will
make sure that your apps only contacts the desired server and it is not
redirected to some other malicious server.
Encrypt
the app communication
You need to encrypt the communication data of your apps. It is
important not to turn off the encryption in iOS9.
Pin the
certificates
For mutual authentication and encrypted communications, you should
pin the certificates. Do not depend on root certificates that are stored in the
operating system, given that there can be addition of new roots – which can
result in attacks from malicious users in the middle.
Avoid
unreliable library downloads
You should avoid the use of precompiled 3rd party
libraries, as you cannot be sure about what they can actually do. The 3rd
party libraries could be graphics libraries, ad libraries or even encryption
libraries. Never download libraries from any unreliable party.
Rely on
inter-app communication
You should just activate inter-app communication for the mobile
apps you know to be safe, and allow apps to communicate with them. Make sure
that all the inter-app communication is properly encrypted.
Never
store unencrypted files
Avoid storing any file that is not encrypted. Make sure that all
the encryption libraries are utilized completely. Never store any data in your
app that can be personally identified, and which happens to be non-essential in
form. Use proper encryption for the data that you store on the phone as well as
the information that is in transit, with the help of VPN and other secure
technologies. Another best practice for mobile security is to disallow the
transmission of personal or sensitive data over a public hotspot of Wi-Fi,
particularly one that is unsecured, without the use of a VPN or some other safe
transmission option.
Avoid
using APNS messages for confidential data
Avoid using APNS or SMS messages to send out sensitive data, which
can easily be read by any individual having full access to your mobile phone –
even when your device happens to be locked.
Use your
app with care
Never store any password on your app. Take a long and hard look at
any plug-in being used by your app. Such types of plug-ins frequently act as
transmitters that introduce security flaws into mobile apps. While using iOS
apps, you need to store credentials and secrets in the KeyChain. This can leverage
the built-in security of the KeyChain. Never simply copy a list of permissions
from any generic app. Declare only the permissions that you really need and
utilize in the app.
Use codes
from reliable vendors
You should use development tools and codes only from reliable
vendors, and download core development tools and libraries from the actual
download websites of Google or Apple only, such as Android store or iTunes app
store. Never download them from any unofficial website. Otherwise, you may end
up getting your app being infected by XcodeGhost or some other malware.
Use PIE
during app compilation
When you are compiling the app, enable PIE (Position Independent
Execution). This is essential for reducing the risks of malicious tools and
apps accessing recognized memory locations in your mobile apps.
Embed API
keys with care
Keep in mind that API can be utilized for accessing accounts or
sensitive data on cloud services. Naturally, you should be extremely choosing
when your embed API keys in your mobile app. One can copy API keys from any
rooted or Jailbroken mobile phone. Make sure that all the access controls are
imposed by the entry of some user credential or a password that is typed in by
the user. This feature is not available in every app.
Check your
app before release
Financial services apps need to add codes to check for rooted or Jailbroken
phones. They should not let any transactions happen from any compromised mobile
phone. Before the release of your app, you need to use Proofpoint Mobile
Defense tools to evaluate your app and validate the behavior that it exhibits.
Get the code reviewed by external parties, after your own team members have
checked them out.
Have a
privacy policy
Get a proper privacy policy in place, which describes accurately
what your servers and app do with all the data. Have an in-house legal counsel
review your privacy policy related to the app. The privacy policy should be
published along with your app and related to your entry in the app store.
Use
security patches to update your mobile operating system
Have the mobile OS and all its apps completely up-to-date. OS for
mobile devices such as Android or iOS provide users with regular updates, in
order to resolve all the security flaws and various other threats related to
mobile security. These also offer extra performance features and options as
well as additional security to users. You have to turn automatic updates on for
your mobile devices or manually update your apps and phones from time to time.
Comments