



























Every mobile app company in the world claims that its applications come with ‘100% security assurance’. To be fair, most of them do perform rigorous app testing (on devices, in the cloud, etc.) procedures, to detect and delete bugs. Considering that it takes close to $5000 to identify and fix a major bug/malware after an app has been released, such precautions on the part of app companies are hardly surprising. Unfortunately, the awareness levels among general users regarding mobile app security is rather low. That, in essence, is the topic under the scanner in this week’s edition of AppBoard Tuesday (ABT).

Before jumping headlong in the discussion on mobile app security, a myth needs to be cleared. There is a popular misconception that, while malware is a pretty common feature in Android apps, iOS applications are more-or-less bug-free. Stats, however, suggest otherwise. 4 out of every 10 free iPhone apps (on average) are hacked every quarter – making them vulnerable to attacks as well. For the record, close to 80% of the featured free Android apps can be hacked.

So, how to ensure that the apps you download are indeed bug-free AND their chances of getting hacked are minimal? The following tips should come in handy:

Download with care – Do not rush to download and install every new app that arrives at the stores. Get apps only from official online stores (i.e., Apple iTunes and Google Play Store). Do not make the folly of not reading the user-reviews of the app before downloading. The privacy policy clauses and official terms & conditions are worth going through as well. In short, know everything about the piece of mobile software you wish to have on your smart device. Filter all inputs – For most data-driven mobile applications, SQL Injection is a major security threat. Expert iOS and Android app developers generally advise people to filter all inputs (at the device level) to counter this risk. All types of potentially corrupt/malicious data will be blocked out. Know the unique security layers of your device – The security features (and similarly, the vulnerabilities) of the iOS platform is different from those on the Android platform. Blackberry and Windows platforms have their own security frameworks as well. Do some research about these platform and device-specific mobile security features. Security across all mobile platforms is not standardized – and knowledge on this would help you select suitable apps for your device. Are you hiring a mobile app agency? – If yes, kindly be very careful while making your choice. Avoid getting lured in by the tall promises of free app quotes and ‘too good to be true’ testimonials showcased by shady companies. Check out app portfolios, talk with the company representatives, find out about the mobile app testing standards maintained, and other such pertinent information. Hire a company which has a decent track record of creating successful apps for third-party clients. Perform static and dynamic verification of apps – Or if you can’t, get someone familiar with mobile technology to do the tests. A thoroughly performed static verification would make sure that bad/corrupt APIs have not wormed their way into the build of an app. Dynamic verification, on the other hand, requires the involvement of all the backend systems in a live IT environment. Neither static nor dynamic verification of apps is yet very popular – but as mobile security concerns grow, they are likely to become integral parts of mobile application testing. Choose VPN over public, unprotected wi-fi networks – Everyone uses mobile internet services on the go. However, precious few people have any idea about how their favorite web-enabled apps are getting connected to the web. More often than not, apps access the network via non-encrypted, public wi-fi systems. That can be disastrous from a security perspective, since unauthorized access of mobile data becomes a distinct possibility (in fact, easy for any hacker logged on to the same network). It is always preferable to connect apps to the web (if required) via a secure virtual private network (VPN). Know the importance of passcodes and app locks – Whenever you are not near your smartphone/tablet, do spend a few extra seconds to lock your device with a unique, secure passcode. This would rule out the chances of someone else messing about with your apps in your absence. Many mobile app development companies create applications that have locking options as well. Activate these app locks, whenever you do not intend to use an app for an extended period of time. Of course, try not to hand over your handset to other people. It’s your personal device, after all! The importance of ‘https://’ in mobile CMS – Agencies that create iPhone/Android apps emphasize on this factor. When you are using any app to pull content from the web, it is of essence that secure browsing (https://) is on in the mobile content management system (CMS). Avoid storing any data to ‘NSUserDefaults’. Ideally, do not store too much of confidential, sensitive information in an app at all – whatever the security attributes of the latter might be. Who knows when a hack attack might come calling? Having an antivirus application is important – Particularly for Android users. You might mistakenly download a buggy app from the store (Google Play Store, in particular, has plenty of them). A reliable anti-malware app like McAfee, Avast or 360 Mobile Security would make sure that a faulty app would not infect your device. It would be advisable for iPhone/iPad users to install a mobile antivirus too, before going on an app-downloading spree. As pointed out above, iOS apps need not necessarily be ‘bug-free’. Protect your data during transit – Every quarter, hundreds of new instant messaging (IM), photo-sharing and file-sharing apps are released. Most of them are properly tested, but there can be the occasional ‘black sheep’ (read: the ones that flout app security guidelines). Hence, while using any new app to share data, you need to encrypt all the important information. In this context, it should also be stated that your app login information must be private and secure. Delete hoax messages and meaningless chain mails – The ‘forward this message to 10 of your friends NOW’ messages on WhatsApp and WeChat seem like a whole lot of fun – but they can be security threats too. Many such chain mails contain a link, which, if clicked (rest assured, there will be a ‘call-to-action’), can lead to serious malware attacks. Many people do not forward such messages, but do not delete them either. That can also be dangerous. Get rid of every hoax message as soon as possible – there’s no saying which of them might be a virus file. Do not keep Bluetooth or Wi-fi on unnecessarily – Device-to-device and device-to network connectivity are supposed to be used only when such functionality is required. Many users do not bother turning off their phone bluetooth, after file transfer(s) are complete. The same goes for the device wi-fi settings, which remain on even when browsing can be done using mobile data. Remember, the more ‘open’ you keep your smart device, the greater is the scope for a hacker to target your apps.

Rooting Android devices and performing iOS jailbreak is a common activity among smartphone-owners. Most people do not bother to consider that the latter, in particular, can be very risky (since it renders all warranties on iDevices null and void). Near-field communication (NFC) is coming with Apple Pay – and those who wish to make mobile payments via it have to be doubly cautious. Mobile app developers and security analysts also advise activating the remote data wiping feature of applications, whenever available.

With that, we come to the end of this week’s AppBoard Tuesday (ABT). Do share with us the mobile security measures you use, and whether there are any other ways for safer usage of mobile applications. You can also suggest other app-related topics that you would like to be covered in future editions of ABT.

An update on what our in-house app developers are working on now. Doo’l (https://www.behance.net/gallery/21451327/Dool), an image-based social networking app, is in the final stages of testing, and would be launched soon. We have also started working on 3 other new apps – myBabySitter, iChatty and 1Cloud2. Wish us luck for those.

Till next Tuesday, ABT will take your leave. Don’t forget to…stay zapped with apps!