Open in app

Sign in

Write

Sign in

Is your App secure?

Nishchal Raj
MindOrks
Published in
4 min readSep 11, 2018

It is really disappointing when someone finds bugs or vulnerabilities in your app from the security point of view. Actually, this happens because developers don’t have a look at their application from an attacker point of view or they don’t have that much knowledge to find security flaws in their apps and APIs.

There haven’t been many cases about attacking any app. But in future, there will be many cases and I can guarantee this.

Why make an app secure?

The users of your app should feel safe that their data isn’t being leaked or those are not in bad hands. To maintain your reputation as a developer. your app should be flawless enough to make a secure entry into the world of attacks.

So, why you think your app should be secure? No answer? You’ll get to know that till the end.

How to secure your app?

There are numerous ways to make any app safe and secure, listed here are some of them. Apart from UI bugs which disturb the users when repeating the process or blocking in some ways, there are vulnerabilities that take their personal data too. So, if you want your users to feel safe with their data and don’t want to see your app taken down, have a look at the ways you can prevent this. Let’s get into the ways of developing a secure app:

  • Limit failed logins : Any user can try logging in any number of times and this is not good, as attacker can Brute Force the password easily. Hackers may try to exploit by using scripts that enter different combinations until your server is down and app doesn’t respond. To prevent this, limit the number of failed login attempts per user (for better, within a particular time frame).
  • Multi-factor authentication : Don’t just allow entering password and letting users in . Use multi-factor authentication so that, if an attacker tries getting in with other user’s credentials, he gets stuck in one or other authentication process or it takes him some time to get in or it becomes impossible for him to think of any bypass.
  • Use better encoding/encryption for tokens/session IDs : It’s not cool to use Base64 or Hex for encoding tokens/session IDs as they are quite guessable and can be decoded easily. Use non-reversible encoding algorithms or write one of your own. Better to use encryption. NOTE:encoding and encrypting are different.
  • Never use plain text as IDs : When encoding/encrypting the token and session IDs, why not encode the IDs of user or any product or any item in the app. Just don’t use sequential digits.
  • Don’t leave logs inside the code : Logs are better while developing the application but shouldn’t be inside the code when app is published. Not removing logs at the final time makes the attacker look into it while debugging the app and can get some or many ideas about the app which may be used in negative ways.
  • Have a look at the things being “Toast” / Don’t give detail of the error / Don’t over share information : Informing the user about the errors being faced is good and there are many ways to show that like using a toast or snackbar or automated error fragment but never show detailed error which can help the attacker to guess some ways to get in the server.
  • Verify each and every user’s request from the API endpoint also : Validation on the client side is not enough, never trust the client side. There should always be validation of any data getting in the server via the endpoint at the API level too. Because that will save the data in the server and request can be invalidated.
  • Reg-Ex validation don’t work much : Don’t only use regular expression for input validation, use multi-validations. Why not to use regular expressions? Because they can be bypassed.
  • Don’t store sensitive data : When taking in personal data of users try not to store it anywhere, which anyhow can be accessed and can be compromised easily.
  • Keep in mind the broken access : If same screen/activity is going to be accessed by both user and admin then keep in mind that user can’t get into the admin side by some broken access codes.
  • Carefully use web views : As attacker can try to use any vulnerability in the rendered webpage to affect the app.
  • Regular patches : Patch the application after any bug or vulnerability is reported so that to make it safe for future. Leaving the bug for long time can result in app being of no use for the user, regular patches will introduce a sense of security.
  • Safe upgrading : When upgrading, keep in mind not to break the codes or leave any vulnerable backdoor. It happens that sometimes developer upgrade the codes and by mistake break some secure path.
  • Unguessable Session IDs : Don’t assign guessable session ids. Session can be hijacked if session ID is in the hand of attacker and then he can do a lot to the user and his data.
  • Overusing UI thread : Don’t run tough calculations or too many things on the main thread as it will increase the load and make the app crash and the application won’t respond. Try multi-threading instead.
  • No “null” acceptance : There are many apps that accept null (without the knowledge of developer) and that’s a reason which makes it crash though the testing is done while publish. Null, not in sense of 0 or null in editText or any such things, it’s null, the actual one i.e. passing “nothing” through commands/scripts or another app in the vulnerable app.

Hey developers! above were some ways to follow for a secure app development as a full stack developer, but you need to find ways to do all that listed above or contact me for the same.

Thanks for your precious time. Keep developing secure apps.

Security
Android
Vulnerability
Bugs
Apps

--

--

Nishchal Raj
MindOrks

Written by Nishchal Raj

122 Followers
Writer for

Co-Founder @ Paisa App | Technical Speaker @ ALCCalabar - Google I/O '22 Extended-BLRKotlin #30 | Ex-GDSC Lead | Writer | Researcher | @thenishchalraj

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams