Many companies are outsourcing their mobile application development for various reasons – cost
reduction, skill unavailability, schedule constraints, etc. Consider a mid-sized company that wanted to
monetize a great, unique idea by building a mobile app. This company did not have the necessary
resources with appropriate skills to build this mobile application. They decided to outsource the
development and evaluated multiple vendors. The company choose the one they thought fit their needs –
primarily based on cost. The chosen vendor worked with the company to build the app and delivered it
along with the server side components that integrated to the company’s backend systems. The application
worked as expected with pleasing user interface and the company successfully launched the Android app
in the Google Play store.
Unfortunately, within a short period, many similar apps were launched in the Google Play store. Most
provided same, if not better, features than the company’s application, and with slightly modified user
interface. In about a month, the company’s server was attacked by hackers and crashed with the database
This is an example how things can go wrong if proper considerations for application and data security were
not made while building mobile applications. In this instance, the app development vendor had not taken
care of even the simplest form of vulnerabilities like SQL injection, Input validation attack, etc., – to protect
their backend systems.
The competitors had reverse engineered the android app, understood the business logic contained in the
app, and rapidly built similar, competing apps with minimal effort.
While developing mobile applications, developers and architects with limited experience and engineering
discipline may ignore many important aspects of security. Security is critical both on client and server side.
Proper security measures must be built to protect the users’ personal data, the company’s intellectual
property and hitherto sheltered backend systems. Failing to protect against potential security problems
will erode into customer confidence in the company and will negatively affect revenue plans.
We present below some of the security issues that should be taken care while developing mobile
Security On the client/App side
Securing app's business logic: This should prevent users from reverse engineering the mobile application. It should not be limited to just using obfuscation tools. Many developers/architects assume that applying obfuscation alone will prevent reverse engineering. In reality, it only makes it marginally harder for the hackers.
Securing data stored on client side i.e. on mobile devices
Securing the communication channel used to interact with server
Securing the data to be transmitted to the server
Security on the Server Side
Securing server data
Securing physical servers/cloud servers using additional hardware and/or software
Securing servers from general attacks. Preventing unauthorized access to servers by identifying requests from hackers and blocking such requests
Securing sessions and requests from clients
Securing server from viruses, worms etc.
Taking care of vulnerabilities in the code like SQL Injection/Query Poisoning, Input validation attack, Impersonation attack, Session Hijacking attack, Source code disclosure, Buffer overflows etc.
Security levels needed differs by application type, its specific functionality and the nature of the company’s
business. If the app handles financial transactions, higher levels of security measures should be
implemented. Likewise, if the app is handling credit cards, more stringent set of measures should be
Just using digital certificate for all communication with the server or using two factor authentication
mechanism for authenticating the users is not enough for securing the mobile applications.
When you develop a mobile app, make sure the vendor has a team of experts who take care of security for
all the mobile applications delivered from the company. They should analyze your environment,
functionality of the mobile application to be built and recommend solutions while analyzing vulnerabilities
that must be taken care under various circumstances and user scenarios. The vendor should not only
deliver mobile applications in time but also fortify customers’ business logic and intellectual property
involved in such applications.