Security Assessment: Ensure development and security teams perform a security assessment prior to publishing a mobile application.
Client-side Data Storage: Avoid storing sensitive information (e.g. PCI, PHI, session tokens) permanently on the mobile device file system in locations suck as a SQLite database, logfile, XML file or HTML5 database. Attackers can easily steal devices or use malware to extract information stored in these locations. Consider retrieving sensitive information temporarily from a secure web service and removing it from the device when it s no longer needed.
Weak Cryptography: If sensitive data must be stored on the device, apply an additional layer of encryption using an approved cryptographic algorithm. Do not hard-code encryption keys in source code or store them unprotected on the file system. instead, retrieve encryption keys from a secure web service and store them in the key chain.
Information Disclosure: Disable mobile operating system features that cache sensitive information on the device. Common locations include the keyboard autocomplete cache, copy paste buffer and screenshots taken during application transactions. These global storage areas are accessible by malicious applications and cloud result in the exposure of sensitive information.
Transport Layer Protection : Mobile applications that rely on backend web services to send and receive sensitive information (e.g. customer data and session tokens) should enforce transport layer encryption. Performing certificate chain validation, using approved protocols and ciphers and certificate pinning ensure that data s sent over secure channels.
Server-side Security : Web services that support mobile applications are vulnerable to the same types of attacks that he plagued web applications for years. Protect web service endpoints with strong authentication and authorization controls. Perform fuzz testing for injection issues (e.g. SQL, HTML, OS commands and XML) Secure authentication cookies using the secure and HTTP Only flags.
Mobile Application Security Assessment Tools
- QARK (Android) : https://github.com/linkeding/quark
- iDB Tool (iOS) : http://www.idbtool.com