Introduction:
Last month, I met some major telecom companies and during these meetings, the business and security leaders discussed the challenges they face in their B2C mobility initiative. The concerns were around launching mobile applications for various mobile operating systems and platforms, deciding the right communication channels and of course security.
B2C mobile apps architecture involves mobile client apps, middleware applications and external integration services which make it complex. This is true for any company wanting to provide a mobile application to their consumers and not just telecom companies.
Key Security Risks
A B2C mobile apps has four major risk categories – mobile client app risk, middleware application risk, mobile applications interfaces risks and device lost / stolen case risks. Below are some major security risks for mobile applications:
- Mobile Client App Security Risks
- A malicious user can perform reverse engineering attacks to get sensitive information on improper signed application.
- Weak cryptographic implementation for critical data storage on device's local data storage can lead to fraudulent transactions.
- Middleware Application Security risks
- In middleware applications where web services – HTTP, SOAP, REST – are used, an adversary may attempt to intercept request/response messages
- Insecure network communications channels may lead to tampering of middleware/interfaces parameters and/or database compromises.
- Mobile Application Interfaces risks
- Mobile applications connect to the backend and database servers through various interfaces. Insecure interfaces may lead to data tampering, Denial of Services and message reply attacks.
- Improper data validations may lead to SQL injections, Cross site scripting attacks.
- Device lost/stolen case risks
- In case of device lost/stolen, un-authorized user may misuse data on device
Securing the B2C Mobile Application
To secure your mobility initiative organizations should focus on security of the entire eco-system including:
- Mobile client and server applications,
- Middleware applications, its interfaces, web services,
- Communication channels and
- Local device data storage.
Securing only one or two components will not help secure the entire chain, since the chain is only as strong as your weakest link.
Top 10 suggestions to secure your B2C mobile application would be:
- Validate all trusted (local data storage or server data storage) and not trusted (invalid user inputs e.g., special characters) inputs in the mobile client application
- Encrypt request and response messages
- Use secure web services
- Use appropriate security controls for firmware and middleware applications
- Encrypt data storage on local handheld devices
- Employ a strong authentication mechanism
- Release proper signed mobile apps
- Remote data wipe configurations to prevent unauthorized access
- Session management
- Restricting access to the integration services and its configurations
Happy mobilizing!
Author
Mr. Suhas Desai,
Sr. Consultant – Mobile Security Practice
Aujas Risk Management Services