mobile app security

one of our corporate applications have recently issued a windows/android app for smartphones, to give the users an alternative to using their web app. the suppliers are a relatively small company. Some of the end user smartphone devices are currently not encrypted, but the suppliers say this is not a show stopper as security is 'contained' within the app itself. The login to the app is single factor authentication, username/password. how practical is it that security for an app would be 'contained' within itself, so if someone lost the smartphone with the app itself there would be no data specific to the app accessible on the devices storage. And perhaps more relevant what type of testing would you suggest to see what data specific to the app is stored and retrievable on the phone itself? or what types of security sensitive data do/could apps leave on the phones themselves and what could be retrieved if the device was lost/stolen?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Well, this the App developer doesn't know much about security.

All Apps + Sites these days should be wrapped in SSL.

Any App or Site not wrapped in SSL sends plain test user/pass info over the wire. Anyone can scrape this data + login to they App/Site as any scraped credential.

Always use SSL.

And... this may seem harsh... Instantly fire anyone who says SSL isn't a requirement. Their either clueless or lying, neither of which is acceptable in someone your paying.
KimputerCommented:
Device loss is your own responsibility. Just have a policy that long passwords are used to unlock the phone. It's a totally separate issue of this app security.
As for this app, having data unencrypted, just means it could be intercepted, if for instance, a user is on an open compromised Wifi network.
pma111Author Commented:
It definitely uses SSL I was more interested if any local data may reside on the phone as they phones are encrypted themselves so if someone physically lost the device or it was stolen may there be any data relating to the app locally retrievable on the device itself? the app itself does store fairly sensitive information.

I was saying the devices which have this app installed are not all encrypted, but the app does use SSL to communicate with the application server.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

KimputerCommented:
We can't answer that for you. We don't know if any data is even stored (while you may think it's store in the app, it could easily just be retrieved from the server every single time), and if it is, if it's encrypted or not.
You can easily use full phone encryption (assuming you already knew iPhones are encrypted by default, as well as newer flagship Android phones, only external cards aren't encrypted by default), a lot of app available for others.
pma111Author Commented:
in case of any use this checklist seems to be what I was after:

https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf - namely V2 of the checks.
KimputerCommented:
We still can't answer that for you. Send samples of your full data storage (sorry, you may be leaking information that way, because you can't anonymize data that you don't know what it is), or ask the developer.
If you want to take care of it yourself, buy a flagship phone you know has full encryption available (iPhone, Google, Samsung flagship), enable it by setting up the phone with long password (additionally add fingerprints).
btanExec ConsultantCommented:
There can be an indepth containerisation approach which is not accessible to other apps and store on disk (or at rest) encrypted.

 Typically to make life easier for developers since most of them is not security centric or trained, the use of a Trusted Application Software Development Kit (TA SDK) can be leveraged upon. The apps are encapsulated eith a security interface to access the data store that is isolated from other apps and encrypted at rest...

An example is V-OS which uses elaborate approach to virtualised the secure element in the mobile OS.
To support the loading of multiple apps within the same secure element, memory isolation between apps must be enforced. In V-OS, the trusted storage spaces are persistent repositories that are accessed by a single unique storage key.

The trusted storage keystore functions as a keychain; it holds the storage keys for the next tier of trusted storage spaces, which are accessible only by the individual trusted apps and kernel.  This mechanism enforces the memory separation between the individual apps’ confidential data, emulating the memory isolation in hardware secure elements.

The TA’s storage keys themselves can be configured by the TA developer
V-OS provides a comprehensive cryptographic library, for symmetric ciphers, stream ciphers, hash functions and its derivatives, random number generation, and public key cryptography.  TA developers can call C functions in the provided firmware libraries from the Trusted Application Software Development Kit (TA SDK).
https://www.v-key.com/articles/cryptography-in-v-os

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
> to give the users an alternative to using their web app.
> the suppliers are a relatively small company
> security is 'contained' within the app itself

Adding all of this up, is the app a true  native app? Or did they wrap the web app into a native web view app?  IF it is the web app presented in a web view, then security does not change from the original web app.
Jackie ManIT ManagerCommented:
Actually, you are reversing the procedure for testing on app security.

You need to determine and state the requirements on app security for your corporation to your service provider before they actually develop an app.

Without the requirements, it would be vague to determine whether the app developed is secured using the specific tests to validate that your requirements have been met or not.
btanExec ConsultantCommented:
You would not expect developer to be security centric so the security test tool should ideally be part of their compilation and development studio kit. The security requirements may probably be assumed and reviewed through.

It is about security by design, injecting sprint of security design review and validation of control (from the design agreed) in the modules coded and integrating all of these modules into the final application acceptance test.

If the security design is not in place, and threat risk assessment review has not been conducted and the codes are developed then it will be, kind of "putting the cart in front of the bull". Need to firm up and do the first thing right in getting the assessmwnt review and controls tobbe developed to be identified.
Brandon LyonSenior Frontend DeveloperCommented:
How practical is it that security for an app would be 'contained' within itself, so if someone lost the smartphone with the app itself there would be no data specific to the app accessible on the devices storage.

Many apps require a login or authentication of some kind where any app-related data is stored solely on a server. Data is temporarily stored in RAM while the app is accessing it. This info can't be easily accessed maliciously. The most likely thing to be stolen would be any unsecured credentials for the app which are saved for later (ie a login/password without salt/hash/encryption of any kind). It's best to use Android's or iOS' secure credential storage for that reason.

When a device is lost the lockscreen should keep someone out. The app could be made to require authentication whenever a lockscreen turns on/off. This helps to cover the case where someone doesn't have any lockscreen security beyond swipe to unlock.

Third party apps could steal user data which is why anti-malware applications are important on mobile devices.
btanExec ConsultantCommented:
Actially in event device is lost, a managed device will be issued a remote wipe but yhat is probably not doable if you only wanted to do a remoye wipe of a selected apps but not a whole device. Custom script will have to be put in place. In such situation, the optimal mode of operation is still opt for whole device wipe (which is normally a format and factory reset).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Smartphone Programming

From novice to tech pro — start learning today.