{"id":76132,"date":"2019-01-28T06:45:27","date_gmt":"2019-01-28T06:45:27","guid":{"rendered":"https:\/\/intelligentbee.com\/blog\/?p=75775"},"modified":"2025-05-05T07:57:17","modified_gmt":"2025-05-05T07:57:17","slug":"app-developers-reduce-cyber-attacks","status":"publish","type":"post","link":"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/","title":{"rendered":"How App Developers Can Reduce the Risk of Cyber Attacks"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The evolution of technology has brought seemingly endless benefits to both businesses and consumers. But along with the progress comes a few setbacks, like the increase in the number of cybersecurity attacks for example. The end goal for attackers remains the same\u2014monetary theft. And with around <\/span><a href=\"https:\/\/www.riskiq.com\/blog\/external-threat-management\/cyber-threat-landscape-how-evolving-how-to-respond\/\"><span style=\"font-weight: 400;\">249,662 new domains and 5,518,007 new hosts launching daily<\/span><\/a><span style=\"font-weight: 400;\">, their targets are continually growing.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-75777\" src=\"https:\/\/intelligentbee.com\/blog\/wp-content\/uploads\/2019\/01\/App-Developers-Reduce-Cyber-Attacks1.jpg\" alt=\"App-Developers-Reduce-Cyber-Attacks\" width=\"1800\" height=\"1200\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In addition, the proliferation of mobile technology has given cybercriminals a new platform to carry out their attacks. Secondary or affiliate stores in the Android market can be taken advantage of to compromise official apps or create fake apps. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">This makes security a critical consideration for app developers. Organizations must also regularly monitor app stores (and the entire web) to find platforms hosting apps without permission from the developer as well as apps impersonating the brand. Here are a few issues that <\/span><a href=\"https:\/\/intelligentbee.com\/blog\/pros-and-cons-of-bespoke-software\/\"><span style=\"font-weight: 400;\">bespoke software<\/span><\/a><span style=\"font-weight: 400;\"> developers must be aware of.<\/span><\/p>\n<p>&nbsp;<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Common_Risks_for_Mobile_App_Developers\" title=\"Common Risks for Mobile App Developers\">Common Risks for Mobile App Developers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Data_leakage\" title=\"Data leakage\">Data leakage<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Social_engineering\" title=\"Social engineering\">Social engineering<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Interference_through_unsecured_Wi-Fi\" title=\"Interference through unsecured Wi-Fi\">Interference through unsecured Wi-Fi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Physical_device_breaches\" title=\"Physical device breaches\">Physical device breaches<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Weak_server-side_controls\" title=\"Weak server-side controls\">Weak server-side controls<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#The_absence_of_binary_protection\" title=\"The absence of binary protection\">The absence of binary protection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Inadequate_transport_layer_protection\" title=\"Inadequate transport layer protection\">Inadequate transport layer protection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Poor_authorization_and_authentication\" title=\"Poor authorization and authentication\">Poor authorization and authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Damaged_cryptography\" title=\"Damaged cryptography\">Damaged cryptography<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Client-side_injection\" title=\"Client-side injection\">Client-side injection<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/intelligentbee.com\/blog\/app-developers-reduce-cyber-attacks\/#Cybersecurity_Best_Practices\" title=\"Cybersecurity Best Practices\">Cybersecurity Best Practices<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Common_Risks_for_Mobile_App_Developers\"><\/span><b>Common Risks for Mobile App Developers<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ol>\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Data_leakage\"><\/span><b> Data leakage<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Breaches can happen for different reasons. An unintended data leak is when critical app data is stored in unsecure locations (or those that are easily accessible by other apps or users) on mobile. This is caused by issues like OS bugs or framework security negligence, which is not within the developer\u2019s control. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, insecure data storage leaks are something that developers and users can control. This refers to private data being stored without proper encryption or transferred through unsecured means. According to the <\/span><span style=\"font-weight: 400;\">Ponemon Institute<\/span><span style=\"font-weight: 400;\">, companies have around 28% chance of experiencing at least one incident of a breach in the next two years, so it\u2019s a good idea to be prepared.<\/span><\/p>\n<ol start=\"2\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Social_engineering\"><\/span><b> Social engineering<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Basic trickery is also dangerous on mobile, especially since this attack can easily be done through email. Outside of malware, phishing is the most common social engineering tactic, and mobile users are the most vulnerable because they tend use email more often.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The fact that the device sometimes only shows the sender\u2019s names may be a factor. According to an <\/span><a href=\"https:\/\/securityintelligence.com\/mobile-users-3-times-more-vulnerable-to-phishing-attacks\/\"><span style=\"font-weight: 400;\">IBM<\/span><\/a><span style=\"font-weight: 400;\"> study, mobile users are three times more likely to respond to a phishing attack compared to when using desktop.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"3\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Interference_through_unsecured_Wi-Fi\"><\/span><b> Interference through unsecured Wi-Fi <\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">The transmission of data through an unsecured Wi-Fi connection, especially public ones, is also a cause of concern. According to a survey by security firm <\/span><span style=\"font-weight: 400;\">Wandera<\/span><span style=\"font-weight: 400;\">, a quarter of corporate mobile devices have connected to open and potentially insecure Wi-Fi networks, with 4% of those encountering a malicious interception recently.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"4\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Physical_device_breaches\"><\/span><b> Physical device breaches<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">A lost, unattended, or old device can easily be infiltrated, especially if it has no strong password or encryption. The advent of the Internet-of-Things poses an even greater threat, as a breach can affect not just one device, but a slew of smartphones, tablets, wearables, and devices connected to the same network. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to research by cybersecurity firm <\/span><span style=\"font-weight: 400;\">Raytheon<\/span><span style=\"font-weight: 400;\">, 82% of IT professionals say that unsecured IoT devices can cause a \u201ccatastrophic\u201d data breach. It doesn\u2019t help that some IoT devices don&#8217;t generally come with timely software updates.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"5\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Weak_server-side_controls\"><\/span><b> Weak server-side controls<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Servers have always been an easy target for hackers, as they control communication between the app and its mobile users. App developers should undertake traditional <\/span><a href=\"https:\/\/geekflare.com\/secure-web-application-server\/\"><span style=\"font-weight: 400;\">server-side security considerations<\/span><\/a><span style=\"font-weight: 400;\"> into account or use an automated scanner to identify common issues with the server.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"6\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"The_absence_of_binary_protection\"><\/span><b> The absence of binary protection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Binary protection is needed to avoid attackers from reverse-engineering the app\u2019s code to include malware or redistribute a copy of the app that contains a threat.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"7\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Inadequate_transport_layer_protection\"><\/span><b> Inadequate transport layer protection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Transport layer refers to the route that the data takes when transmitting between client and server. Hackers usually try to gain access to this to modify or steal the data, resulting in frauds, identity theft, and other issues.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"8\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Poor_authorization_and_authentication\"><\/span><b> Poor authorization and authentication<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Most mobile apps don\u2019t call for users to be online throughout their session. Hence, some apps will require offline authentication to maintain uptime, but this can create a security loophole as offline mobile apps cannot distinguish if a user has low permissions, or is an admin or super admin. Such gaps may allow attackers to operate the app or the backend server.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"9\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Damaged_cryptography\"><\/span><b> Damaged cryptography <\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Broken cryptography is due to lousy encryption or incorrect implementation, like storing keys in easily accessible locations or not hard-coding them within the binary. Attackers can exploit such vulnerabilities by decrypting sensitive data then manipulating or stealing it<\/span><\/p>\n<p>&nbsp;<\/p>\n<ol start=\"10\">\n<li>\n<h2><span class=\"ez-toc-section\" id=\"Client-side_injection\"><\/span><b> Client-side injection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">This refers to the execution of malicious codes through the client\u2019s side of the app or a binary attack. Injection is done by adding code that forces a context switch, which the framework interprets as executable. The code may then either access permissions to otherwise unauthorized users or execute privileged permissions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Affected users need to identify the source of the input and validate the data. A code analysis tool can also be used to validate whether the application is handling data correctly.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cybersecurity_Best_Practices\"><\/span><b>Cybersecurity Best Practices <\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Fortunately, there are ways that organizations and app developers can avoid falling victims to fraudulent practices.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Make the code tough to break by securing it, while keeping it easy to update and patch. <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encrypt all data and make sure your authentication keys aren\u2019t easily accessible.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Be extra cautious when using third-party libraries. Test them before use and maintain control over internal repositories during acquisition. <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use authorized APIs only, as unauthorized ones are loosely coded and may unintentionally grant permissions to unauthorized personnel. <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use high-level authentication, or make sure that the apps only accept strong, alphanumeric passwords that must be renewed after a few months. Using a multi-factor (a combination of static and one-time password) or biometric authentication (retina scan or fingerprint) for more sensitive apps is also recommended.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use the newest cryptographic protocols <\/span><span style=\"font-weight: 400;\">256-bit AES encryption<\/span><span style=\"font-weight: 400;\"> with SHA-256 for hashing. In addition, never hard code keys as this would make it easy to steal them. Store keys in secure containers instead of in a local drive or device.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Test apps through penetration testing, threat modeling, and emulators. Fix issues and update or patch when required.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><b>Conclusion<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">When new threats emerge, new solutions are needed. In this age of cyber-attacks, organizations shouldn\u2019t wait for threats to happen before responding. Being proactive is the way, and spotting threats lurking around requires high-level visibility. There are steps and tools available to gain insight and help bring the attack into focus, even <\/span><a href=\"https:\/\/hackertarget.com\/11-offensive-security-tools\/\"><span style=\"font-weight: 400;\">allowing supposed victims to go on the offense<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>Contact us today to learn how we can secure your company&#8217;s mobile apps from the get-go!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The evolution of technology has brought seemingly endless benefits to both businesses and consumers. But along with the progress comes [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1514,1814],"yst_prominent_words":[902,1813,1812,1811,1810,1809,1808,1807,1806,1805,271,846,494,415,394,373,293,291,285,273],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/posts\/76132"}],"collection":[{"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/comments?post=76132"}],"version-history":[{"count":5,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/posts\/76132\/revisions"}],"predecessor-version":[{"id":133427,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/posts\/76132\/revisions\/133427"}],"wp:attachment":[{"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/media?parent=76132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/categories?post=76132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/tags?post=76132"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/intelligentbee.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=76132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}