Over the past decade, the exponential rise in the use of mobile devices has transformed the way we live. This transformation has been accompanied by increasingly sophisticated criminal attempts to access the devices we use and depend upon. As our personal and work data is the prize, only the best security will suffice.
Do you know, how and what your smartphone app’s are „calling home“?
By 2020, annual app store downloads could rise to around 284 billion. Developers recognize that trust is of the utmost importance when it comes to keeping and attracting customers. In order to best serve customers, developers must provide secure and convenient mobile applications. This requires a mobile security framework for mobile operating systems, used by developers. A framework, that is preventing the unauthorized analysis, modification, copying, and usage of the most security-relevant parts of a mobile application, what customers expect and demand: which prevents access to that all-important user information.
A multi-layer app security framework is needed
A software-based security solution incorporates many different layers of software security technologies (like an onion) to strengthen the level of security.
The onion-like concept of the different security walls aims to hinder any attacker to such an extent that the time required to extract assets exceeds the time the application is updated on a regular basis. It offers the best possible application security thanks to the combination of all applying all security features at the same time
How does such a framework work?
Once the user has downloaded an app from an App Store and is running it for the first time on their mobile device, the framework will contact its related Cloud to perform some background security checks to ensure the integrity of the mobile app. Based on these checks, the app either runs or refuses to run and, if necessary, informs the user of the reason.
The framework should also enable risk and threat management, and an independent risk assessment can be performed by the service provider on its servers rather than by the application itself. This step is highly recommended as it further minimizes the risk of misuse or manipulation of the mobile application by the hacker, even if not mandatory. The use of an OOB check provides an additional layer of security in the background that is not visible to the hacker.
Example: Rental Car app – protecting access keys
The following example discuss how a temporary rental car key could be protected by such a framework. Using the overall architecture as an example, it made the following assumptions:
- The end-to-end architecture is a secure architecture and its security assets, security anchors, and attack vectors have been assessed and documented.
- The rental car key is temporary, based on derived credentials.
- The derived credentials will be created on demand, based on the relevant security situation, e.g. daily, weekly, or when the driver changes (e.g. rental enterprise).
- The derived credentials will be handled by the functions in the Secure Memory Management module.
- In this specific situation the enterprise key can be revoked (declared “inactive”) via the framework.
Mobile applications are the critical infrastructure of today’s digital world. An app security framework can help your business to become an innovative organization of tomorrow:
- Focus on your core competency: app development.
Don’t worry about security having a framework.
- Customer satisfaction is your goal.
The framework helps you developing secure mobile apps faster. You can meet you project timelines.
- Knowledge is power.
You should know what your mobile apps are doing out there in the wild.
Please, send me your comments via email. TKS.
Auch relevant dazu:
Trusted Apps: Kampf gegen Smartphone-Schnüffelei (Blogbeitrag @bimpress1) https://bimpress1.wordpress.com/2020/02/06/trusted-apps-kampf-gegen-smartphone-schnueffelei/#more-1602