The SQA2 Blog: Mobile
The growth of mobile apps is increasing rapidly, and the impetus to secure mobile applications is too. According to recent research, the global market for enterprise mobility will be over 100 billion within fifteen years.
Mobile application security is a huge concern for enterprises. Hybrid mobile apps dominated market share when using cross-platform development kits (open source and paid development kits) to reduce development costs. However,this led to major security problems. Here are some best practices to help secure mobile apps.
Never Trust Any User
Verify each request sent by the mobile application. The web server must authenticate and validate every request because the majority of possible attacks come from mobile clients. Before delivering sensitive or confidential data, its recommended to use Two-factor authentication or similar validation methods.
Encrypted Data Storage and Delivery
Mobile apps must send and receive user data through encrypted channels to prevent data breaches. In addition, its critical to encrypt any user data stored in a database server.
Use Timed Sessions
The basic concept is to limit the amount of time a user can go without any activity. A timeout requires the validation of all user requests. The validation, through a timestamp, is sometimes a security feature. This prevents attackers from intercepting the session data and getting unauthorized access.
Disabling Repeat Request
In addition to timed sessions, it is strongly recommended that you disable apps so they do not execute transactions more times than necessary. For example, if a user repeats a banking request during a money transfer, it’s possible that the application deducts the same amount multiple times from the user’s bank account.
Stop Accepting Modified Requests and Prevent URL Manipulation
Attackers usually try to identify all the possible entry points to access your system. It is very common for attackers to modify user requests and bypass the authentication or some other harmful activities. Therefore to prevent these situations, us a cyrptographic key pair to encrypt a URL or complete a transaction.