How to Secure Sensitive Data in Mobile Applications?

How to secure sensitive data in mobile applications from malicious attacks or leakage? Let's find out.

Since the pandemic, mobile phones have become a major business tool with employees mainly working remotely. Corporate data is stored, and critical tasks are performed on mobile. By 2024 60% of all US employees will work almost exclusively on their mobiles (Checkpoint security report here). How can we keep this piling data secure? Let's take a look at the mobile apps' security issues.

What kind of mobile data should be considered sensitive?

Smart mobile devices are widely used, both for private and professional purposes. People store their contact networks, photos, financial updates, messages, and even medical history on their mobiles. Suppose we define "sensitive data" as any data available only to the users with permission (for its confidential character). In this case, most data stored and transferred from and to the phone is sensitive. And this is why each data leakage is a severe security breach.

What is the threat? Mysterious "man in the middle"

There are three vulnerable localizations in mobile applications: smartphone, server, and transferred data. Hands-on data is stored on the phone, while most mobile information stays on servers and is available on request and only after identification. Data is transferred to the phone from servers and back. But what if there is somebody in between them?

"Man in the middle"

Mobile apps are especially vulnerable to "man in the middle" attacks. The attacker intercepts the data sent from and to the server. As a result, login credentials, confidential data, and even files can be seized and used for the attacker's benefit.

It happens primarily due to:

• the number of apps downloaded and kept on the phone - many of the available apps are already compromised and are super easy for the "man in the middle" to enter, so each app added is one step backward on the way to the phone's security,
• the fact that users use their phones for professional and private purposes - with BYOD (bring-your-own-device) policy, it is harder to manage on which devices business-sensitive data is stored, and mixing of the goals of use makes it easier for the "man in the middle" to intercept even confidential corporate data,
• With the abundance of permissions, agreements, and "confirm" buttons - users don't pay enough attention to what they agree to, which is a perfect occasion for any malicious interception attempt.

So even if your application is secure-tended, there is always a risk that one or a few other apps installed on the user's mobile are already infected with malware. It is why extra measures are always welcome in securing sensitive data in mobile apps.

Best ways to secure sensitive data in mobile applications

Securing is not sealing, but it definitely is controlling the controllable. So how to keep sensitive data secure in the mobile app?

1. Encrypt the app data - cryptography is a common practice in application security and a must to avoid malicious practices.
2. Collect enough data, but no more than you need - each company has to collect data, but it is good practice to only store essential data, nothing extra.
3. Make sure your product is regularly updated - maintain an honest and friendly relationship between the business and the development team to ensure that you are aware of vulnerabilities.
4. Shift the responsibility for potential attacks to server security companies - they are the first to know of any server-based leakage anyway.
5. Conduct mobile penetration tests and bug bounty - challenge your app to ensure it is secure and clogs any potential leakage source.

Do you want to know more technical details about securing mobile applications on a specific case we have been working on? See this article: How to improve the security of a mobile application in Android based on nDPI library implementation?

What do technologies and the security of sensitive mobile data have in common?

Cryptographic software is possible in any programming language. It's not that something is or isn't secure - it all depends on how the developers use a given technology.

A significant advantage of open-source frameworks is the strength of the community, which often reports potential security issues on its own. Because many people take care of the tech's impermeability, the detection rate is high, as is the update frequency.

Let's take a closer look at some popular mobile tech stacks.

Django

It is a web framework for Python lovers. With SQL queries abstracted away from developers and parametrized due to Queryset API, robust user authentication and authorization, password hashing, and XSS-proof templates, Django is a powerful choice in terms of security. On the other hand, all web frameworks introduce a new way to penetrate the existing app - through the developer's computer.

Spring

Spring is a Java framework for authentication and authorization, serving as a security backbone. The other one, Spring Vault, enables secure data storage and management, while Spring's native HtmlUtils.HTML escape method can prevent XSS attacks. The main disadvantage of Spring is a complicated SQL injection prevention - primarily due to the high maturity of this framework.

Nginx/Gunicorn

Gunicorn is an application server for Python-based programs, while Nginx is a front-facing web server, a reverse proxy. Gunicorn serves the Flask app, and Nginx sits in front of it and decides where a specific request should be directed. So if the incoming request is an HTTP request, Nginx redirects it to Gunicorn, and if it is for a static file, it serves itself. Nginx/Gunicorn is renowned for its high security. Remember that the security updates are released really often - make sure you follow.

Not secure enough? Let's build a brand new mobile system!

Some applications require the highest mobile security, which existing solutions cannot guarantee.

Several solutions have already been developed in response to this demand. For example, Biocoded was created to provide super-secure communication and file storage on the phone, and Coperhead OS is a completely new, ultra-secure version of Android.

We also had the pleasure of creating a custom smartphone system together with RAW Cyber. Thanks to efficient SCRUM-fueled workflow, as well as relentless brainstorming and development, RAW Secure Phone has hatched. Based on Copperhead OS mentioned above, it combines military-class security with casual smartphone features. It is a perfect solution for business owners and individual customers who like their data to be ultra-secure. Want to know more about how we did it? See our RAW Cyber case study.