The first thing that pops to our head is that they are on mobile devices.
This article provides more insight and suggestions for developers.
According to the article:-
On Android, mobile apps are generally coded using Java, and on iOS in Objective C. Both of these languages are capable of significant processing functionality.
As a result, mobile apps often perform more functions than just presentation-layer aesthetics. That's where the risks can hide.
Attackers can and do examine apps by reverse-engineering them and looking for exploitable defects.
Defects essentially fall into two categories:
- Implementation bugs
- Design flaws.
Bugs make up coding mistakes such as using mutable SQL queries in the form of dynamically built query strings that can be injected with poisonous data. They're also generally quite easy to remediate,
Design flaws can be far more heinous and are usually substantially more difficult to remediate. Flaws can be quite costly to fix.
Whenever we build a mobile app and place that app out in an app store or market, we're giving away some clues about our software
So what are security-minded software engineers to do?
- Don't store things on the client. Unless absolutely essential.
- Don't store anything remotely sensitive on the client.
- If you must store something, use a container such as iOS's keychain. It's far from perfect, but it's still worlds better than storing in plain text.
- Don't put security controls on the client. All security (and other operational) decisions must be made on the server
The link below has more information:-
No comments:
Post a Comment