Checklist for Data and Mobile App Security

Checklist for Data and Mobile App Security

While evaluating mobile app security, there are three major checks that developers perform – server-side, client-side and the protocols as per which data is moved between them. These tasks can further be divided into the following:

  • Analyzing how information is sent through the internet
  • By checking the privacy settings
  • By checking how the data is saved
  • By evaluating security through pentesting

Web Traffic Analysis

There are different ways through which iOS apps exchange and transfer data:

  • Unencrypted protocols, for example HTTP – What you need to check in this is whether these protocols are being used to move confident• ial data.
  • Secure protocols, for example HTTPS – What you need to check is whether the SSL certificates are being validated. Is the SSL certificate being • accepted by the app.
  • Low-level data movement protocol and non-standard protocol.

Privacy

What we check here is whether the app accesses user data without checking the credentials.

Data Storage

In the middle of standard iOS device app installation, the system builds a folder which has a unique ID in Applications/mobile/var.

Here we should look after the following:

  • Plist Files: The content and any hidden options
  • Keychain: What is stored and whether the passwords are securely encrypted
  • Cache: What is cached?
  • Logs: Whether the processes are logged and is there any confidential data which falls into logging

Penetration Testing

Penetration Testing is a powerful tool which exploits an app’s vulnerabilities and assesses the app’s chances to safeguard itself against a malicious attack. We advice you to do regular pen testing if your application functions with bank cards and other confidential information. For some kind of apps this test is essential, for example mobile payment apps.

Application Traffic Analysis

HTTP: Everything is clean here. Secure data is not transferred using unencrypted protocols.
HTTPS

Everything is clean here, as well as all certificates are verified.

Channels through Which Bank Card Numbers Can Be Transferred

Since multitasking is not supported by the device. The channels cannot be checked for bank card data transmission. This mission required logging in without proxy and concurrently checking the send data with proxy.

Privacy

This is clean, as well as there is no unauthorized access to the user data.

To sum up, if the app under focus is not secure enough. A malicious user can easily access the account data and the password, as well as acquired login can allow hackers to change profile parameters. They can get access to crucial information, which can then be used to harm the user.



Let us know what you think