2017 Trends in Information Security Forum - Information Security Testing and Protection for Mobile Software

2016/12/12

The Department of Cyber Security was officially established under the Executive Yuan in August this year. The new department is tasked with the promotion of cyber security on the national level. This will not only cover government agencies but also private enterprise and the commercial economy sectors. After conducting interviews with enterprise users over a period of months, Info Security concluded that there would be two areas of IT security to watch out for in 2017.

  • New threats
  • Understanding cyber security regulations and compliance

The 2017 Trends in Information Security Forum will introduce everyone to global and local threats as well as what technical and management counter-measures can be adopted. Digicentre has been invited to share its experience on “Information Security Testing and Protection for Mobile Software.”

Faced with such IT security threats, how can app developers ensure that the app they publish is secure? How can they protect their company's reputation, interests and users' rights? The following points must be considered:


1. Prevention of reverse-engineering

Can the source code be decompiled? Hackers can decipher the code to expose vulnerabilities for attack. Developers generally use obfuscated code but this only increases the difficulty of reverse-engineering and does not actually prevent it. Obfuscated code therefore does not guarantee the security of the source code in situations requiring a high level of security. Excessive obfuscation can also make the code impossible for the developer to debug.

The best way is to hollow out the program code so that the raw source code cannot be viewed nor any code added or removed. This does not make it unrecognizable to the developer either.


2. Risk of function calls in debug log

Developers often use debug log functions during debugging. This output debugging information that helps programmers hunt down bugs. When debug log functions are used however the output information should not pose an IT security threat. Outputs that involve sensitive data should be disabled in the official or release version.


3. Encryption of data storage

Users often enter their personal details or other sensitive data while using apps. Such information is usually stored on the mobile phone. If the stored data is not encrypted then they can be stolen by malware and compromised. Apart from encrypting, device binding can also be used to ensure that data stored on the mobile phone can only be used on certain devices and cannot be copied for use on other devices. This keeps the risk of data being compromised to a minimum.


4. Certificate pinning

When the app connects to the server over a HTTPS encrypted connection, it should check the server certificate and use STRICT-HOSTNAME-VERIFIER to verify the host name to ensure that the connected server is a legitimate target server. This prevents the app from connecting to a fake servers set up by hackers to steal sensitive data such as account and password upon connection.

Apart from the four points above, apps should also undergo thorough vulnerability scans before listing. These include: "dynamic code injection", "digital certificate theft", "APK modification/re-packaging", and "remote execution of WebView code." These are necessary to keep the IT security risk of the published app to a minimum. Digicentre provides an app security test service to customers wishing to know if their app is safe. The comprehensive report covers 20 items and apps submitted in a morning will receive their report in the afternoon. The report will also include the counter-measures for each type of threat in order to provide the most comprehensive protection service. Please write to services@digicentre.com and one of our representatives will get into touch with you.

Hackers Are On the Prowl! Protect Yourself Now!