What is Mobile (and Web) Application Security? | Introduction for App Owners
What is a mobile application security? How to secure your app? Discover the common threats related to application security, and learn how to analyze risks and their consequences for your app.
In this article, you will learn what application security is, what the most common threats related to app security are, and how to analyze risks and their consequences for your application.
What is application security, and why is it so difficult to define?
You may be wondering what application security actually means. Everyone believes that mobile/web applications’ security is essential, and you need to take care of it during development – no one would disagree with this statement.
But what does application security mean?
It turns out that it’s hard to find/come up with a helpful definition without identifying the risks and threats against which we want to protect ourselves.
If we don’t define the risks, we can’t accurately define application security.
Security is basically protection against threats. Let’s take cars as an example. If we talk about a safe car, it means that the car will protect us in a possible accident (to some extent). In the context of car safety, the risk is a traffic accident.
So when we talk about security in the context of software development, we need to define the potential threats against which we want to protect ourselves. This enables us to formulate a common view of what we’re talking about.
Definition of application security
We can define application security as the process of finding and fixing security gaps and ensuring adequate protection against possible threats.
This definition doesn’t clarify the matter, but we can deduce one important thing from it: application security is a process, not a one-time action.
To achieve the desired level of security, we must be prepared to create an application security process and make sure that it’s followed throughout the entire life of the application – design, development, and maintenance.
What is missing from this definition? We said that application security is a process, but we haven’t really identified what exactly it concerns and what it provides.
The key issues here are threats and risks against which we want to protect ourselves. If we are unsure or have no idea what the risks are, we won’t be able to correctly assess the level of security we would like to achieve.
Security is a response to potential threats and risks
What’s crucial in terms of security is realizing that we want to eliminate or mitigate potential threats and the risks arising from them. When we start thinking about security, we shouldn’t immediately focus on the methods and techniques that will keep us safe. First, we should analyze the risks and threats against which we want to defend ourselves. We can’t begin properly adjusting the techniques and security methods if we’re not aware of the risks.
The 6 most common application security threats
The most common threats related to the security of mobile and web applications are:
- Unauthorized extraction of information – e.g., obtaining private messages in a chat application,
- Unauthorized use of application functions – e.g., gaining access to the admin function by an unauthorized user,
- Denial of service – an attack aimed at overloading the system so that users are unable to use the application – def: https://en.wikipedia.org/wiki/Denial-of-service_attack,
- Unauthorized remote access control (breaking into servers) – gaining access to application servers by unauthorized persons,
- Data leakage – obtaining confidential data by unauthorized persons, often through an unauthorized remote access control attack,
- Installing malware (malicious software) on user devices – causing application users to download malicious software.
This list isn’t complete. These are just a few of the most common threat examples we may deal within a web or mobile application.
As you can see, app owners face many threats on different levels. In order to accurately assess and design security solutions, we need to carry out an accurate analysis of our application.
Note that the threats may differ depending on the type of application. To sum up:
Types of applications and related threats
Let’s take a closer look at security threats that await us in different types of applications by industry.
E-commerce/m-commerce application threats
- Sensitive data leak
- Denial of service and financial losses
Social application threats
- Personal data leak
- Identity theft
FinTech application threats
- Extorting user money
- Carrying out unauthorized transactions
- Financial data leak
- Failure to meet financial regulations
MedTech & Healthcare application threats
- Very sensitive and confidential medical data
- Non-compliance with regulations (e.g., HIPAA in the USA)
- Denial of service and interruption of access to medical data
Threats of applications requiring personal data
- Personal data leak
- Failure to meet regulations, e.g., GDPR
Threats of application prototypes
- very few risks, the topic of safety may be marginalized
Frontend application threats (no backend)
- No information exchange
- Most security risks do not exist
Note that many factors affect the risks we have mentioned so far:
- the purpose of the application,
- the data users store,
- the data we share with them,
- and the services we provide via the application.
Examples of security vulnerabilities
We have seen many examples of security vulnerabilities leveraged by cybercriminals in the history of app development.
- Whatsapp – A security vulnerability allowed an Israeli company to install spyware on the devices of human rights activists (source).
- Under Armor example – 150 million identification data (email, passwords) were leaked and then appeared on the black market (source).
These examples show that even large companies with significant resources are vulnerable to such threats and experience security holes that may be exploited.
The scale is important. Additional security factors
The above examples also show us the extra factors that affect the scale of threats. Different threats await an application used by a million users and a different one an app used on a smaller scale. The consequences are different as well, and so is the pressure to quickly fix the security gap. Security processes also vary between them a lot. The scale of the application is another factor that should be taken into account when analyzing risks and threats in the context of security.
Another important factor is the target audience. An important aspect in terms of security is how we acquire users – whether the application is public or intended for a limited number of users (e.g., employees of one company). For example, if we create an in-house application, we have more control over who will use it and in what circumstances. We can then introduce other security solutions and processes.
What to do before starting development to take care of app security?
Here are a few things you can do before the development starts to boost the security of your application:
- precisely define the industry in which your application will function,
- find out if there are regulations in a given industry that must be met (e.g., HIPAA, GDPR, PSD2),
- define the main users of the application (who will use the application),
- identify the data that will be available in the application (personal data, medical data, messages, payments, etc.),
- carry out a short analysis of the possible threats and consequences of security gaps in line with the answers to the previous questions.
The above is a good start to start the application security process.
How and when to conduct an analysis of threats, risks, and possible consequences?
We should raise the issue of security at the very beginning of the application development process. Everyone on the development team, stakeholders, and founders or owners should be aware of the risks.
The key to safety is an individual analysis of threats, risks, and possible consequences. We should carry it out at the stage of collecting requirements.
The level of security should be adapted to the performed analysis.
The analysis doesn’t always have to be a long process that generates extensive documentation. On the contrary, it’s better to start with something simpler.
1. Investigate the risks
When analyzing the risks, it’s smart to consider the possible consequences of negligence. Of course, the implications will be different from application to application. But answer these questions, and you’ll get an idea:
- What happens if user data is leaked?
- What data do we store?
- What happens when the application stops working? (denial of service attacks)
- What happens if app data is leaked?
- Do we store payment data?
- What happens when an attacker gets unauthorized access to some functions of the application?
- Does the application industry force it to comply with any regulations (HIPAA, GDPR)?
Knowing the answers to these questions increases the awareness of the entire team about the risks that may occur. Taking your answers into account, the development team and you get to design security processes and solutions more accurately.
2. Define the data stored in the application and the data that is exchanged (between users, and the user and the system).
3. For each main functionality of the application, answer the following questions
- What happens if a feature stops working for some time?
- How long can a given functionality not work?
Let’s sum up:
How to take care of security during the app development process?
You should also pay attention to security practices during the app development itself. It’s worth making a conscious decision about who will have access to communication channels, development tools, application servers, and various third parties.
Here are a few questions that will help verify whether we care about the right level of security during development:
- Is the Principle of least privilege applied?
- Do we avoid exchanging passwords in e-mails, private messages?
- Do we require appropriate security rules on the websites (2FA, strong passwords, etc.)?
- Do we use safe, proven tools?
Application security – summary and takeaways
I hope that after reading the article, the topic of app security is clearer to you. Here are the key takeaways:
- Ensuring application security is a process, not a one-time action.
- You should consider security from the very beginning of work on the application.
- To ensure security effectively, you need to be aware of security risks.
- It’s very important to analyze the application and threats for your specific application.
- It’s key that you analyze the risks, threats, and possible consequences of threats (damage control).
In the next article in our series on mobile and web app security, you will learn about best practices and tools that help to ensure the security of your application and see how to test if the application is safe.