Security Concern and Measures on Mobile Apps

Mobile apps are used to designate the process and act by which applications software’s are designed and developed for handheld gargets or devices such as mobile phones. The mobile applications can be delivered as web applications using server side and client-side processing to provide an experience within a web browser. The apps can also be pre-installed on phone platform during the manufacturing process. However, there are some scenarios where the mobile apps occur some problems which can lead to a heavy loss in organizations. Therefore, in this paper we will scrutinize the architecture, security issues of mobile apps then will explore some security measure to deal with the associated security tasks.

Mobile applications have become part and parcel of organizations provisions of services in their daily business production. This research case study is based on banking environments. For instance, the organizations such as banking institutions uses mobile apps for financial services and transactions through mobile devices. Importance: The mobile app security includes data transmission which is very imperative to secure the data of the users to prevent the hacker from invading and stealing the data and information. Authentication and authorization are also important since they only allow the authorized users to have access to the data and information.

Problem: Nevertheless, there are still many security problems associated with mobile apps, such as a Short Message Sending (SMS) messenger when making transactions through SMS. The data and information being relayed are not secure while transmitting through SMS because sending and receiving SMS have no encryption technique. Therefore, using a mobile device to access to the internet through wireless Application Protocol (WAP) is insecure since wireless Application Protocol is vulnerable to hackers attacks due to its protocol translation and compression of contents which is insecure.

Complexity: Considering an environment such as for a banking organization, the protocol translation and compression of contents from mobile devices are working through online banking architecture which are not fully secured.

Prior solution: The architecture has been incorporated into mobile internet banking applications since the bank has application servers that involves email server and web server. The router directs the transaction request by the user into the application servers.

Proposed solution: It has been realized that lately the communication of internet banking apps in smartphones will be asynchronous through back-end systems, hence service-oriented architecture is needed for all applications components that provide services to other components using a communication protocol. For instance, mobile banking on Wireless Application protocol(WAP) and Short Message Services(SMS) is popular since through SMS the clients can be updated about their account status.

Contributions: This research critically examines the security issues on mobile apps and we have found that hacking and malware are the major threats for many organizations when using mobile apps. We have therefore proposed to have security configurations and vulnerable managements for each mobile platform to help in mitigating the insecurity issue.

Background: Evolution of mobility has become critical to helping companies use the full range of digital technologies to boost overall operating and financial performance hence improving productivity. The mobile apps are the portal to opening digital business and driving the results. The mobile apps act as an interface to data that is being collected, processed and delivered to end users in an understanding and usable way. In the absence of apps, much of the benefit of digital technologies and the Internet of Things, for instance, gathering performance data from sensors, applying analytics to the data and using the insights to drive business decisions, will be lost.

The mobile apps are considered as the dominant interface of the future hence there is high demand for mobile apps among difference companies’ customers to access services. Besides that, many companies and organizations are yet to put in place measures that facilitate apps effectiveness. For instance, the comprehensive pre-launch testing, mobile apps security solutions that are integrated with existing enterprise security systems and a spontaneous user interface that enhances the user experience. Model: Most mobile apps that are affected by the security issue are web-based. The persistent apps focused on productivity, such as those that enable report updates and access to sales; operations for instance, those that allows employees to complete time sheets or book office space; management such as executive dashboards and customer facing applications such as those that support sales and customer service. It has been noticed that one possible reason why mobile apps are not more pervasive in the business enterprise is that many companies are yet to put in measures that facilitate successful adoption. The mobile app security issues have always been highlighted as the overriding challenge in app development and management.

Moreover, there are a mass of mobile apps that get released almost every day and most of them carry important user information. These apps are vulnerable to hacker attacks that look for weaknesses in apps, tap into them and phish user information and can as well implant a malware.

Mobile Apps Security Challenges

The security issues that affects the mobile apps include; lack of binary protections. The absence of binary protection, harmfully can reverse the code od an app to inject a malware or redistribute the pirated applications possibly a threat. This is a critical concern in the mobile apps security as it can lead into a confidential data and information theft, brand and trust damage, frauds and revenue losses. If the binary fines are not analyzed and modified, the fixing of vulnerabilities in the legacy codes may not be attained.

Insecurity data storage is another common mobile apps security loophole. A mutual practice among the developers is to depend is to depend upon the client storage for data. However, client storage is not a sandbox environment where security breaches are imposible.it has been noticed that in the event of acquisition of the mobile by an adversary this data can easily be accessed, manipulated and used hence it can result to identity theft, reputation damage and external policy violation.

Poor authorization and authentication is another mobile app security concern. The missing or poor authentication allows an adversary to secretly operate the mobile app or backend server of the mobile app. In most cases the mobile device input factor that encourages short passwords are usually implemented. Unlike in the case of traditional web apps, the mobile app users are not expected to be online throughout their sessions. This is because mobile internet connections are not as reliable as traditional web connections hence, mobile apps may require offline authentication to maintain the uptime. This offline condition can lead to security loopholes that developers must consider when implementing mobile authentication. When the apps are in the offline mode, they are usually unable to distinguish between users and allow users with low permission to execute actions that are only allowed to admins. In this case, two-factor authentication is not constantly used when conducting sensitive transactions on mobile app devices.

According to the studies, users generally use static passwords instead of two-factor authentication when conducting online sensitive while using mobile apps devices. The use of static passwords for authentication has a lot of security drawbacks: passwords can be forgotten, written down and stolen or eavesdropped. Traditional passwords and PINs may not be the best compared to two-factor authentication in terms of providing high level of security. Two-factor entails an authentication system in which users are required to at least using two different factors. The mobile app devices can be used as a second factor in some two-factor authentication schemes thus they can generate pass codes which can as well be generated and send via text messages to mobile phones.

Client-side injection is also a mobile app security concern which refers to the execution of malicious code on the client side on the mobile device via the mobile apps. A threat agent inputs the malicious code into the mobile app through several different means. For instance, the underlying frameworks supporting the mobile app process this code like any other data on the device. During processing, this code forces a context switch and the framework reinterprets the data as executable code. This code may either run within the scope and access permissions of the user and it can also execute with privileged permissions leading to much greater potential damage.

Security decisions via untrusted inputs is also a security concern since the developers generally use hidden fields, values and functionality to distinguish between higher and lower level users hence, an attacker might intercept the calls and mess up with such sensitive parameters. Therefore, the weak interpretation of such hidden functionality leads to improper app behavior thus resulting in high level permission being granted to an attacker. A mobile app maintains communication between clients using an inter process communication(IPC) mechanism, which is also used to establish communication between different apps and accepting data from various sources.it is because of this that an adversary can intercept this communication and interfere with it to introduce malware or steal information.

Virus Attacks in Mobile Apps

There are different types of computer viruses, TrojanZeus Trojan and malicious programs that target the mole apps users. Attackers have also used Virus Zitmo to defect SMS apps. The virus Zeus is commonly used by hackers to access to mobile transactions authentification numbers such as password.

Speng malware: according to Kaspersky Lab it discovered that a breed of malware targeting mobile app devices called svpeng. This malware targets android devices, looks for specific mobile apps on the phone, then locks the phone and demands for money to unlock it. From the study researches, speng breaks into a mobile device through social engineering campaign using text messages hence, one it is wormed its way into a device, the malware looks for apps from set of institutions such as banking institutions. Besides that, the Trojan also contains code that could be used for the file encryptions hence it could therefore encrypt files stored on the mobile apps devices and demand money to unencrypt them.

In addition, the threats of mobile apps security include Trojans, root kits and viruses. For instance, there are some well affected malware on mobile banks apps which include; zitmo, Hesperbot, zertsecurity, DroidDream and Keyloggers. Cyber criminals have been refining these malwares to target mobile app devices for access to databases to steal information such as bank accounts details.

Security Measures on Mobile Apps

In the wake of explosion of mobile devices, organizations are increasingly embracing mobile apps to improve and increase productivity. New data indicates that there is always a room for improvement in production. A recent study of Businesses by the Ponemon Institute for IBM found that the average company tests less than half of the mobile apps they build while 33 percent never test their apps at all for security before they are availed to the market. The disparity is too large hence could potentially expose users to sophisticated cyberattacks hence could enable hackers to gain access to personal data on mobile devices. There are a number of ways that can help both the mobile apps developers and the organizations to secure and protect from mobile apps risks and threats attack. These include:

Building secure mobile apps: the research shows that mobile malware exploits vulnerabilities and bugs in the coding of the mobile apps. The application of security best practices to mobile apps development including the use of source code scanning tools can help make mobile apps resolve the mobile apps attack. The codes from third parties or any app that can coexist on the phones used by employees should be critically analyzed. For instance, the executable rather than source code should be scanned. This concern arises out of a growing trend of hackers that progressively create fake app versions. The hackers have become smart in obtaining a public copy of mobile app, manipulate and reverse the engineering process then, place malicious codes into app and redistribute it to market.

Preventing data theft and leakage: when mobile apps access company data the documents are often stored on the mobile device itself. This is very risky since when the device gets lost or if data is shared with non-business application, the potential for data loss is heightened. I fully encourage businesses to develop a Selective Remote Wipe, capability to erase sensitive data from stolen, lost and other compromised devices. This can restrict the sharing of company data with non-business apps thus help prevent data leakage.

Think security early on: developers should consider security as one of the top most priorities while developing any mobile app. The security checklist at the inception phase can assist to oversee and map possible scenarios during design, development and deployment of the app. Moreover, by implementing security best practices, the developer can assess the potential data threats, attacks that may arise hence it can help them rectify any underlying performance issues for the app.

Examine development framework and Operating System Vulnerabilities: implementing the mobile apps on legacy platforms and operating systems can increase the likelihood of security attacks in the apps. Therefore, leverage the latest platforms as they will help alleviate the security risk since they are frequently updated to fix the security patches along with advance data protection features.

Secure apps data on Devices: even though the data stored on the devices are recoverable, the designers and developers must understand that it can drive a potential risk which is dangerous. If this is a requisite, consider the proven encryption methods like 256 bit Advanced Standard symmetric-key algorithm standards to store data on a device in the form of databases, files and other secure data sources. The encryption key management should also be factored while formulating the mobile application security.

CONCLUSION: In this research paper, we have discussed security issues that relates to mobile apps, examine issues on the architecture as well as some security measures and solutions to deal with the related security challenges. We have realized that mobile apps need to have a foundation to enhance app security and support future advanced technologies. Therefore, this ensures that mobile apps and their security framework remains future-proof hence requires fewer resources to manage.